Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Build for Pull Requests / Code Sign Artifacts using an option #1524

Closed
djalmaaraujo opened this issue May 2, 2017 · 8 comments · May be fixed by qcif/data-curator#563
Closed

Allow Build for Pull Requests / Code Sign Artifacts using an option #1524

djalmaaraujo opened this issue May 2, 2017 · 8 comments · May be fixed by qcif/data-curator#563
Labels

Comments

@djalmaaraujo
Copy link

djalmaaraujo commented May 2, 2017

  • Version: 16.8.3
  • Target: macOS and Windows

After this issue: #1354 we are not allowing to code sign artifacts during a pull-request build. While I understand the security issue, I still think that would be useful to have an option like build_for_pull_requests (boolean).

In our current workflow, we build/codesign apps to make real tests during the development of big features. We can easily perform QA tests with that option.

Right now, I have a workaround to make this work, but it's hacky:

Setting all these 3 vars TRAVIS_PULL_REQUEST CI_PULL_REQUEST CI_PULL_REQUESTS to false on the CI would make the build run for pull requests.

@djalmaaraujo djalmaaraujo changed the title Allow Pull Requests to Code Sign Artifacts / Add an option to build_for_pull_requests Allow Build for Pull Requests / Code Sign Artifacts using an option May 2, 2017
@develar
Copy link
Member

develar commented May 4, 2017

env CSC_FOR_PULL_REQUEST added. CSC_FOR_PULL_REQUEST=true to force code signing for pull requests.

@develar develar added the feature label May 4, 2017
@develar
Copy link
Member

develar commented May 4, 2017

Do you want also publish?

@sindresorhus
Copy link

Make sure the documentation for this option clearly states the security implications of turning it on (at least when using Travis CI).

@develar develar closed this as completed in 9dbc789 May 5, 2017
develar added a commit that referenced this issue May 5, 2017
@djalmaaraujo
Copy link
Author

@develar Thanks for that.

@krystophv
Copy link

@develar - If one also wants publish, is there a way to do that as well? In my org's workflow, we want to have built artifacts against a draft GitHub release based on a pull request made from a branch inside the repository (as opposed to a fork of the repository) for internal code review purposes (the master branch is protected and can't be merged to unless an approved PR is made).

Security-wise, I feel fine enabling this since we have building PR's from or exposing protected environment variables to forks turned off in the CI configuration. Is there a way to enable publish from a PR?

@develar
Copy link
Member

develar commented May 13, 2017

@krystophv option will be added in 2 days, thanks for feature request.

@djalmaaraujo
Copy link
Author

@krystophv I end up using a custom script to upload the artifacts generated because the electron-builder uploader is not that flexible.

I used this package: https://github.com/remixz/publish-release

@develar
Copy link
Member

develar commented May 30, 2017

PUBLISH_FOR_PULL_REQUEST is added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants