release: don't upload assets for PRs from the main repo

2 files changed, 16 insertions, 1 deletions

diff --git a/release/ci.py b/release/ci.py
index a7ecfae5..53a2632f 100755
--- a/release/ci.py
+++ b/release/ci.py
@@ -215,11 +215,26 @@ def build():
         print("Packed {}.".format(archive_name(bdist)))
 
 
+def is_pr():
+    if os.environ.get("TRAVIS_PULL_REQUEST") != "false":
+        return True
+    elif os.environ.get("APPVEYOR_PULL_REQUEST_NUMBER"):
+        return True
+    return False
+
+
 @cli.command("upload")
 def upload():
     """
         Upload snapshot to snapshot server
     """
+    # This requires some explanation. The AWS access keys are only exposed to
+    # privileged builds - that is, they are not available to PRs from forks.
+    # However, they ARE exposed to PRs from a branch within the main repo. This
+    # check catches that corner case, and prevents an inadvertent upload.
+    if is_pr():
+        print("Refusing to upload a pull request")
+        return
     if "AWS_ACCESS_KEY_ID" in os.environ:
         subprocess.check_call(
             [
diff --git a/tox.ini b/tox.ini
index c9a575da..2d0fd047 100644
--- a/tox.ini
+++ b/tox.ini
@@ -33,7 +33,7 @@ commands =
   python test/individual_coverage.py
 
 [testenv:cibuild]
-passenv = TRAVIS_TAG TRAVIS_BRANCH AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY APPVEYOR_REPO_TAG_NAME APPVEYOR_REPO_TAG APPVEYOR_REPO_BRANCH RTOOL_KEY WHEEL
+passenv = TRAVIS_* AWS_* APPVEYOR_* RTOOL_KEY WHEEL
 deps =
   -rrequirements.txt
   pyinstaller==3.3.1