How to identity a PR coming from a forked repo?

webvictim · July 27, 2020, 3:00pm

I’ve been using Drone for a while now and I’m very satisfied with it overall. There’s an issue that’s come up recently which I can’t seem to figure out, though. I’ve had a good look through the environment reference and other parts of the docs, plus Google and this forum, but I can’t find anything relevant.

My first question is how I can tell whether a PR that Drone processes is coming from a forked repository or not? I’ve seen that you can limit execution using something like:

when:
  repo:
    include: ["myorg/repo"]

This doesn’t seem to work with PRs raised from a fork, however, because the repo seems to always be set to myorg/repo rather than fork/repo - because the person raising the PR wants me to merge their forked code (from their own repo) into my repo.

There also doesn’t seem to be anything obvious in the environment variables set for the Drone pipeline. Given this, how can I tell within a Drone pipeline whether a PR’s code comes from a branch of my own repo or someone else’s fork?

There’s also this section of the docs, which says:

“Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.”

Is this true only for encrypted secrets (i.e. those which you create using the CLI and then store directly into the YAML file) or is it also true for per-repository secrets set via the web UI? That page of the docs says that you can override the default behaviour of not exposing the secrets by ticking the “allow pull requests” box when first storing the secret, but it isn’t specific about whether that secret would then be exposed to all PRs against your repo, or just those which don’t come from forks.

Thanks in advance!

ashwilliams1 · July 27, 2020, 5:42pm

This doesn’t seem to work with PRs raised from a fork, however, because the repo seems to always be set to myorg/repo rather than fork/repo - because the person raising the PR wants me to merge their forked code (from their own repo) into my repo.

Correct. The repository in the when clause refers to the target repository that is receiving the push or pull request, not the source repository.

Is this true only for encrypted secrets

Yes

webvictim · July 27, 2020, 6:04pm

Thanks for the answers.

Given this, does Drone provide any other way to see whether a PR is coming from a forked branch? If not, presumably I’ll have to manually implement a call to the Github API or something to get more information about the PR.

ashwilliams1 · July 27, 2020, 8:41pm

Drone stores a field in its database that indicates whether or not the pull request originated from a fork. Are you looking to access this data inside the pipeline as an environment variable? Are you trying to build a secret extension? The field may not be available everyone and therefore may require a small patch.

webvictim · July 27, 2020, 8:47pm

Yes, exactly this - or ideally as a conditional that I could use with the when: clause to control whether a step runs at all based on whether the PR is from a fork or not.

The use case is that we have two repos - a public OSS repo, and a private Enterprise repo which contains proprietary code (that we include as a submodule and check out using secrets)

My aim is to set up one pipeline that runs tests against every PR raised, but contains a conditional check that will only expose the secrets to clone the Enterprise submodule if the PR does not come from a fork - i.e. it was raised from a branch inside our repo, which has push access locked down to company staff only.