Electron-builder: Allow Build for Pull Requests / Code Sign Artifacts using an option

Created on 2 May 2017 · 8Comments · Source: electron-userland/electron-builder

Version: 16.8.3
Target: macOS and Windows

After this issue: https://github.com/electron-userland/electron-builder/issues/1354 we are not allowing to code sign artifacts during a pull-request build. While I understand the security issue, I still think that would be useful to have an option like build_for_pull_requests (boolean).

In our current workflow, we build/codesign apps to make real tests during the development of big features. We can easily perform QA tests with that option.

Right now, I have a workaround to make this work, but it's hacky:

Setting all these 3 vars TRAVIS_PULL_REQUEST CI_PULL_REQUEST CI_PULL_REQUESTS to false on the CI would make the build run for pull requests.

feature

Source

djalmaaraujo

👍2

Most helpful comment

PUBLISH_FOR_PULL_REQUEST is added.

develar on 30 May 2017

👍2

All 8 comments

env CSC_FOR_PULL_REQUEST added. CSC_FOR_PULL_REQUEST=true to force code signing for pull requests.

develar on 4 May 2017

Do you want also publish?

develar on 4 May 2017

Make sure the documentation for this option clearly states the security implications of turning it on (at least when using Travis CI).

sindresorhus on 5 May 2017

👍1

@develar Thanks for that.

djalmaaraujo on 9 May 2017

@develar - If one also wants publish, is there a way to do that as well? In my org's workflow, we want to have built artifacts against a draft GitHub release based on a pull request made from a branch inside the repository (as opposed to a fork of the repository) for internal code review purposes (the master branch is protected and can't be merged to unless an approved PR is made).

Security-wise, I feel fine enabling this since we have building PR's from or exposing protected environment variables to forks turned off in the CI configuration. Is there a way to enable publish from a PR?