From 380e4bc14d2d37df5af3be53abf2e9b8be79efcb Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@corte.si>
Date: Thu, 8 Mar 2018 07:55:52 +1300
Subject: release: don't upload assets for PRs from the main repo

---
 release/ci.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'release')

diff --git a/release/ci.py b/release/ci.py
index a7ecfae5..53a2632f 100755
--- a/release/ci.py
+++ b/release/ci.py
@@ -215,11 +215,26 @@ def build():
         print("Packed {}.".format(archive_name(bdist)))
 
 
+def is_pr():
+    if os.environ.get("TRAVIS_PULL_REQUEST") != "false":
+        return True
+    elif os.environ.get("APPVEYOR_PULL_REQUEST_NUMBER"):
+        return True
+    return False
+
+
 @cli.command("upload")
 def upload():
     """
         Upload snapshot to snapshot server
     """
+    # This requires some explanation. The AWS access keys are only exposed to
+    # privileged builds - that is, they are not available to PRs from forks.
+    # However, they ARE exposed to PRs from a branch within the main repo. This
+    # check catches that corner case, and prevents an inadvertent upload.
+    if is_pr():
+        print("Refusing to upload a pull request")
+        return
     if "AWS_ACCESS_KEY_ID" in os.environ:
         subprocess.check_call(
             [
-- 
cgit v1.2.3