Disable Travis-CI for pull requests

Question

I have a project that uses Travis-CI to build and rsync a static website. I use the following to ensure that this only occurs in master.

branches:
  only:
    - master

However, when someone makes a pull request on the repository, Travis-CI prospectively merges that branch into master and does the build and rsync, meaning that anyone could replace the contents of my website with anything by submitting a pull request.

Is there a way to prevent Travis-CI from attempting to build pull requests?

Answer 1

You can find out if Travis is checking a pull request by checking the environment variable TRAVIS_PULL_REQUEST. It contains:

The pull request number if the current job is a pull request, "false" if it's not a pull request.

See also the docs.

You can change your command to check this and only build on non-pull requests with

if [[ $TRAVIS_PULL_REQUEST == 'false' ]]; then your-command; fi

To avoid the scenario described by @ruslo, you can (and should!) use encrypted environment variables for building the rsync connection. These are not available with pull requests (at least with those that come from a fork), so that everything's safe here:

Please note that secure env variables are not available for pull requests from forks. This is done due to the security risk of exposing such information in submitted code. Everyone can submit a pull request and if an unencrypted variable is available there, it could be easily displayed.

(The reasons stated in the docs are different, but the mechanism would work here as well.)