from forked repositories

[spewil]

hi there,

very simple question i think-- as our docs site grows, we'd like to welcome the community to contribute by forking and submitting pull requests.

however, our travis CI seems to be failing due to:

$ yarn && GIT_USER="${GH_NAME}" yarn deploy
yarn install v1.22.4
[1/4] Resolving packages...
success Already up-to-date.
yarn run v1.22.4
$ docusaurus deploy
Deploy command invoked ...
Error: Please set the GIT_USER environment variable!

I've followed the docusaurus documentation in adding these environment variables in the repository settings on travis, but it makes sense that these variables would be protected from the upstream fork as explained in the travis docs. travis of course works great for internal PRs, pushes, and merges following your instructions.

in general, can i set up deployment such that these external test builds have the correct environment variables? or is this simply not possibly for security reasons? it would be great to have as our project scales. either way, it might be a good addition to the docusaurus docs as i didn't expect this issue to arise (as a novice).

thanks!

[slorber]

Hi,

I don't think it's a good idea to run docusaurus publish on PRs, as this will deploy to GH pages, and you'll override your production website (you have only one github pages hosting per repository afaik, it's pretty limited).

For PR deploy previews, I would rather recommend you using Netlify. It's not very expensive, has a free plan, and very easy to set up.

About the env variable security, think that a hacker may maliciously update your CI pipeline in his PR, and this code is not safe to run because it might steal your env variable.

Each CI has its own solution to this problem (or the lack of solution).
I only know that Github CI has pull_request_target, which basically run the CI workflow from master instead of using the the CI workflow from the fork, so only a contributor of the official repo can steal the secrets.
https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks

I don't know if Travis has an equivalent solution.

[spewil]

Thanks! Learning a lot here.

So on GitHub Pages the best workflow we can have for our external contributors is:

• fork and submit your PR
• we will test the build locally and merge if all looks peachy

On Netlify:

• fork and submit your PR
• Netlify will provide a preview build
• if build breaks, we iterate

Does this sound right? (Having never heard of Netlify)

[slorber]

Netlify has a config for that.

You don't need any env variable to get a Netlify deploy preview, so any option should work fine.

If you need another extra environment variable, it will be either public, or inaccessible to your deploy preview pipeline, or manually approved through the netlify interface once you have checked the code is safe to run.