Make Travis usable for forks#1573
Conversation
The CI script goes looking for the branch to which a commit was pushed, but was applying the branch name to moby/buildkit even if being built on a different fork. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
It's not OCI-specific, so it makes more sense in the file that exports it to the world. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
|
FYI builds out of the repo can lead to security issues |
|
How do you mean? |
I don't have the details on hand, but both github actions and gitlab runners have clear warning about allowing jobs to run from forks |
|
|
That's a different problem from what was being fixed here. This change was just to make the non-PR builds that was already allowed to run pass, by not hard-coding a branch name in the script. The problem you're referencing is for exposing secret data to PRs, which Travis already does not do for out-of-repo PRs, as mentioned on that link.
If you're aware of another leaked env-var problem that needs fixing, it'd be better as a new issue than comments here. This is already handled with things like |
|
Github Actions has a similar protection for secrets.
|
|
Thanks for the keen eye for security. |
3 participants
Travis will now correctly build on branches in forks that do not exist in moby/buildkit, so I don't need to actually create the PR just to see if the build will pass. Or ignore the 'build failed' emails from Travis.
There's also a couple of other fixes that came up when I was working on #1387, iterating on the integration tests.