Encrypted Secrets "--allow-pull-requests" CLI flag. Bug? Dead code?

Hi there,

We are experiencing difficulty making an encrypted drone secret available to our pipelines that are triggered off pull-request events. It might also be worth noting that our team is using the OSS version of Drone due to licensing, and so Drone’s “Encrypted secrets” is the only secrets management solution we are able to use.

Drone Server version (compiled with ‘oss nolimit’): 2.2.0
Drone CLI version: 1.3.0

After googling for a couple hours and reading through the relevant source code for both the runner and the cli utility, we are even more confused than when we started. The source code and the documentation seem to conflict each other in various places. Please allow me explain:

The “help” text from the “drone encrypt -h” command clearly states that we can pass a couple options to the cli, one of them allowing read access to pull requests. (e.g. –allow-pull-requests)

The source code for the CLI utility appears to parse these options and save them, being in-line with the help text. The documentation for this utility however, does not mention anything about this, but does, however, state “Secrets are not exposed to pull requests that originate from forks.”

After enabling tracing, we are getting the message “secret: encrypted: restricted from forks” when trying to execute our pipeline, however we are not using a fork, but simply another branch in the same private repository.

I was able to pinpoint where that error message was coming from in the Drone Runner source code, however there seems to be nothing done with the cli flag that was passed to the encrypted secret. Am I wrong here?

My questions

  1. Is this a bug? Due the the conflicting information it is not clear to me whether this feature is supposed to be supported, or was deprecated and meant to be removed?

  2. Does Drone actually do anything with the cli flag “–allow-pull-requests” for encrypted secrets?

  3. Does the documentation I linked above have a looser meaning of the term “fork” here? Does it actually mean any derived branch as opposed to a fork of the repository?

I hope you can see how confusing this is and would hope that some sort of resolution comes out of this, even if it is merely updating the documentation to accurately reflect the behaviour. Please let me know if I am understanding something incorrectly. And thank you for taking time out of your day to read this :slight_smile:

Does Drone actually do anything with the cli flag “–allow-pull-requests” for encrypted secrets?

no, these flags are deprecated and can be removed from the command-line tool. I think the documentation should be up-to-date since it makes no mention of these flags, however, if you find a reference please share and we can remove from the docs.

Hey thanks for the quick reply Brad!

I understand that these options are deprecated now, thank you.

I am still confused by the documentation though. At the bottom where it talks about pull requests for the utility. It makes it sound as though secrets will in fact be exposed to pull requests (as long as the source does not come from a fork). That is not the behaviour we are experiencing. Screenshot attached below.

Should that be changed to just “Secrets are not exposed to pull requests” ?