Controlling builds for public repos

I see in older version of Drone there was a “gatekeeper” endpoint that could control blocking of a build. Has that feature been completely removed?

I work with primarily private repos in our org so much of our Drone pipelines were built around everything being trusted since we use private Docker, RubyGems and NPM repositories so secrets need to be available even during a pull_request build. If I wanted to use the existing process on a public repository, I’d have to disable fork builds and then I don’t think I’d have any option for a trusted org user to build that pull.

I think Drone’s official position is that if a repository is public, to build the pull all images on all steps should be public and use no secrets. It still seems like any repo being built with an in-repo Dockerfile could still abuse this process to execute arbitrary commands inside your CI cluster even with a protected .drone.yml. So it seems to me, that a manual build block is still the best option. Are there any options presently available to implement forked PR blocking with the ability of a trusted user to approve them?

You could create and use a validation extension. The purpose of a validation extension is to evaluate incoming webhook data and yaml configuration and decide whether or not to proceed with execution.
https://docs.drone.io/extensions/validation/

EDIT: this requires the latest Drone image and you will need to update the drone-go library in the validation extension starter project using go get. In order to block the pipeline, you can return validator.ErrBlock from the extension.

Thanks, Brad. I should be able to figure it out from that.

I just wrote a Drone validation extension that will force approval of all pull requests coming from forks:

It could be a good template for your own.