Build open source projects

Many projects require API tokens, SSH keys, or passwords. Private environment variables allow you to safely store secrets, even if your project is public.

For more information, see the Set an environment variable document.

By default, CircleCI builds every commit from every branch. This behavior may be too aggressive for open source projects, which often have significantly more commits than private projects.

To change this setting, go to the Project Settings  Advanced of your project and set the Only build pull requests option to On.

The ability to override the Only build pull requests setting is also supported. Specifically, CircleCI will run validation on all commits from additional, non-default branches that are specified via regular expression (for example, release.\*).

Override the Only build pull requests setting by utilizing the API and following the steps outlined in this support article.

Enabling Only build pull requests may result in duplicate builds. You can find troubleshooting steps in this support article.

Many open source projects accept PRs from forked repositories. Building these PRs is an effective way to catch bugs before manually reviewing changes.

By default, CircleCI does not build PRs from forked repositories. To change this setting, go to the Project Settings  Advanced of your project and set the Build forked pull requests option to On.

If a user submits a pull request to your repository from a fork, but no pipeline is triggered, then the user most likely is following a project fork on their personal account rather than the project itself of CircleCI, causing the jobs to trigger under the user’s personal account and not the organization account. To resolve this issue, have the user unfollow their fork of the project on CircleCI and instead follow the source project. This will trigger their jobs to run under the organization when they submit pull requests.

Running an unrestricted build in a parent repository can be dangerous. Projects often contain sensitive information, and this information is freely available to anyone who can push code that triggers a build.

By default, CircleCI does not pass secrets to builds from forked PRs for open source projects and hides four types of configuration data:

Forked PR builds of open source projects that require secrets will not run successfully on CircleCI until you enable this setting.

If you wish to use OpenID Connect in your project, the OIDC tokens will only be generated if you have this setting turned on. This prevents your token data being shared with forked builds unless you require it. If you do choose to use OIDC with open source projects by enabling the Pass secrets to builds from forked pull requests option, you must check the oidc.circleci.com/vcs-origin claims in your policies to avoid forked builds having access to resources outside those that you require. For more information on OIDC, see the Using OpenID Connect tokens in jobs page.

If you are comfortable sharing secrets with anyone who forks your project and opens a PR, you can enable the Pass secrets to builds from forked pull requests option:

Caches are isolated based on GitHub Repo for PRs. CircleCI uses the GitHub repository-id of the originator of the fork PR to identify the cache.

Currently there is no pre-population of caches because this optimization has not made it to the top of the priority list yet.