I’ve been using Drone for a while now and I’m very satisfied with it overall. There’s an issue that’s come up recently which I can’t seem to figure out, though. I’ve had a good look through the environment reference and other parts of the docs, plus Google and this forum, but I can’t find anything relevant.
- My first question is how I can tell whether a PR that Drone processes is coming from a forked repository or not? I’ve seen that you can limit execution using something like:
when: repo: include: ["myorg/repo"]
This doesn’t seem to work with PRs raised from a fork, however, because the repo seems to always be set to
myorg/repo rather than
fork/repo - because the person raising the PR wants me to merge their forked code (from their own repo) into my repo.
There also doesn’t seem to be anything obvious in the environment variables set for the Drone pipeline. Given this, how can I tell within a Drone pipeline whether a PR’s code comes from a branch of my own repo or someone else’s fork?
- There’s also this section of the docs, which says:
“Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.”
Is this true only for
encrypted secrets (i.e. those which you create using the CLI and then store directly into the YAML file) or is it also true for per-repository secrets set via the web UI? That page of the docs says that you can override the default behaviour of not exposing the secrets by ticking the “allow pull requests” box when first storing the secret, but it isn’t specific about whether that secret would then be exposed to all PRs against your repo, or just those which don’t come from forks.
Thanks in advance!