diff options
| -rwxr-xr-x | release/ci.py | 15 | ||||
| -rw-r--r-- | tox.ini | 2 |
2 files changed, 16 insertions, 1 deletions
diff --git a/release/ci.py b/release/ci.py index a7ecfae5..53a2632f 100755 --- a/release/ci.py +++ b/release/ci.py @@ -215,11 +215,26 @@ def build(): print("Packed {}.".format(archive_name(bdist))) +def is_pr(): + if os.environ.get("TRAVIS_PULL_REQUEST") != "false": + return True + elif os.environ.get("APPVEYOR_PULL_REQUEST_NUMBER"): + return True + return False + + @cli.command("upload") def upload(): """ Upload snapshot to snapshot server """ + # This requires some explanation. The AWS access keys are only exposed to + # privileged builds - that is, they are not available to PRs from forks. + # However, they ARE exposed to PRs from a branch within the main repo. This + # check catches that corner case, and prevents an inadvertent upload. + if is_pr(): + print("Refusing to upload a pull request") + return if "AWS_ACCESS_KEY_ID" in os.environ: subprocess.check_call( [ @@ -33,7 +33,7 @@ commands = python test/individual_coverage.py [testenv:cibuild] -passenv = TRAVIS_TAG TRAVIS_BRANCH AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY APPVEYOR_REPO_TAG_NAME APPVEYOR_REPO_TAG APPVEYOR_REPO_BRANCH RTOOL_KEY WHEEL +passenv = TRAVIS_* AWS_* APPVEYOR_* RTOOL_KEY WHEEL deps = -rrequirements.txt pyinstaller==3.3.1 |