I have to following build step that triggers Kontena deployment:
deploy:
image: kontena/cli
commands:
- kontena app deploy service
when:
branches: [master, develop]
However this build step is executed when Pull Request is submitted. Is that correct behaviour? If yes, then it seems that secrets are not working correctly when Drone is executing that build step (on PR). They are working correctly on push event when PR is merged to target branch.
However this build step is executed when Pull Request is submitted. Is that correct behaviour?
Yes this is the expected behavior. If you do not want a step to execute for pull requests you need to specify the event in the when clause:
when:
branch: [master, develop]
+ event: push
note in your example, make sure you use branch and not branches in your when clause.
If yes, then it seems that secrets are not working correctly when Drone is executing that build step
Secrets are not exposed to pull requests by default. If you want a secret to be exposed to a pull request you need to add the secret with --event=pull_request. See https://docs.drone.io/secret/repository/
So what you are describing here is also the expected behavior.