Our Now + GitHub integration makes it possible for you and your team to deploy every pull request. Every push gets a hyperlink where everyone can test and visualize the application.
Until today, for security reasons, we did not allow pull requests to be deployed from forked repositories. Now, this is possible.
Apps sometimes need to keep information secret, for example, if the app connects to a database and needs to provide credentials. In some cases, this information should be kept secret.
From the beginning of the Now + GitHub integration, we have been looking at different ways to solve the problem of deploying pull requests from third parties when there is sensitive information.
Usually, pull requests from forks are public repositories, so it's likely that there is no secret information in the code itself. Sensitive information is normally only needed when deploying the app.
Now has a method for keeping this sensitive information safe. It's called Now Secrets. We can set up secrets using Now CLI and the following command:
now secrets add api-key <API Key value>
Then to use the secret, it is set up as an environment variable within a now.json configuration file:
{
  "env": {
    "API_KEY": "@api-key"
  }
}

Setting the environment variable of `API_KEY` to use the value of our secret `api-key`. Learn more about secrets.

This is the only way a user can pass secrets into a Now deployed application. With this in mind, we created a solution based around Now Secrets that allow pull requests from forks to deploy.
For each pull request, Now for GitHub deploys the last commit of every push. If this pull request comes from a fork and the app does not have any secrets configured in the now.json file, the app will deploy automatically.
If there are secrets in the now.json file or changes to the now.json file itself, we will not automatically deploy the changes. Instead, we’ll show a message that you, or a member of the team that the GitHub repository is connected to with Now, should authorize the deployment.

The UI of a GitHub PR showing that Now cannot deploy without authorization.

When clicking on Details, you or a member of the Now account or team linked to the GitHub repository will be prompted to authorize the deployment.

The page is shown when prompted to authorize a deployment of a PR from a fork.

Here we show you the keys used in the now.json and show easy access links to related code changes. So, you can decide whether this pull request is harmful or not.
Within this page, we'll list the information for what is to be authorized in order to be deployed. This includes which secrets will be used in the deployment, which commit is being deployed, and which pull request it comes from. From this information and the information from the pull request itself, reviewers can decide whether the code is safe to deploy or not. Each further commit will follow the same process so that there is no harm to your code in any circumstance.
If the code is safe to deploy, all it takes is a click on the AUTHORIZE button on that page and Now will deploy that pull request immediately.

A pull request made from a fork that was deployed and merged. This is from our own documentation repository which is open source!

After our initial release, allowing external deployments was one of our most requested features. We're very happy today to bring this feature to you all.
Our priority is the security of your applications and data, and striking a great balance for the best possible user experience.
If you haven't used our Now for GitHub integration yet, get started.