Our Now + GitHub integration makes it possible for you and your team to deploy every pull request. Every push gets a hyperlink where everyone can test and visualize the application.
Until today, for security reasons, we did not allow pull requests to be deployed from forked repositories. Now, this is possible.

Now Secrets and Deploying Pull Requests

Apps sometimes need to keep information secret, for example, if the app connects to a database and needs to provide credentials. In some cases, this information should be kept secret.
From the beginning of the Now + GitHub integration, we have been looking at different ways to solve the problem of deploying pull requests from third parties when there is sensitive information.
Usually, pull requests from forks are public repositories, so it's likely that there is no secret information in the code itself. Sensitive information is normally only needed when deploying the app.
Now has a method for keeping this sensitive information safe. It's called Now Secrets. We can set up secrets using Now CLI and the following command:
Then to use the secret, it is set up as an environment variable within a now.json configuration file:
{
  "env": {
    "API_KEY": "@api-key"
  }
}
This is the only way a user can pass secrets into a Now deployed application. With this in mind, we created a solution based around Now Secrets that allow pull requests from forks to deploy.

The Solution

For each pull request, Now for GitHub deploys the last commit of every push. If this pull request comes from a fork and the app does not have any secrets configured in the now.json file, the app will deploy automatically.
If there are secrets in the now.json file or changes to the now.json file itself, we will not automatically deploy the changes. Instead, we’ll show a message that you, or a member of the team that the GitHub repository is connected to with Now, should authorize the deployment.
When clicking on Details, you or a member of the Now account or team linked to the GitHub repository will be prompted to authorize the deployment.
Here we show you the keys used in the now.json and show easy access links to related code changes. So, you can decide whether this pull request is harmful or not.
Within this page, we'll list the information for what is to be authorized in order to be deployed. This includes which secrets will be used in the deployment, which commit is being deployed, and which pull request it comes from. From this information and the information from the pull request itself, reviewers can decide whether the code is safe to deploy or not. Each further commit will follow the same process so that there is no harm to your code in any circumstance.
If the code is safe to deploy, all it takes is a click on the AUTHORIZE button on that page and Now will deploy that pull request immediately.

Get Started

After our initial release, allowing external deployments was one of our most requested features. We're very happy today to bring this feature to you all.
Our priority is the security of your applications and data, and striking a great balance for the best possible user experience.
If you haven't used our Now for GitHub integration yet, get started.