Vercel for GitHub makes it possible for you and your team to deploy every pull request. Every push gets a hyperlink where everyone can test and visualize the application.
Until today, for security reasons, we did not allow pull requests to be deployed from forked repositories. Now, this is possible.

Vercel Secrets and Deploying Pull Requests

Apps sometimes need to keep information secret, for example, if the app connects to a database and needs to provide credentials. In some cases, this information should be kept secret.
From the beginning of the Vercel + GitHub integration, we have been looking at different ways to solve the problem of deploying pull requests from third parties when there is sensitive information.
Usually, pull requests from forks are public repositories, so it's likely that there is no secret information in the code itself. Sensitive information is normally only needed when deploying the app.
Vercel has a method for keeping this sensitive information safe. It's called Secrets. We can set up secrets using Vercel CLI and the following command:
vercel secrets add api-key <API Key value>
Then to use the secret, it is set up as an environment variable within a vercel.json configuration file:
  "env": {
    "API_KEY": "@api-key"

Setting the environment variable of `API_KEY` to use the value of our secret `api-key`. Learn more about secrets.

This is the only way a user can pass secrets into a Vercel deployed application. With this in mind, we created a solution based around Vercel Secrets that allow pull requests from forks to deploy.

The Solution

For each pull request, Vercel for GitHub deploys the last commit of every push. If this pull request comes from a fork and the app does not have any secrets configured in the vercel.json file, the app will deploy automatically.
If there are secrets in the vercel.json file or changes to the vercel.json file itself, we will not automatically deploy the changes. Instead, we’ll show a message that you, or a member of the team that the GitHub repository is connected to with Vercel, should authorize the deployment.

The UI of a GitHub PR showing that Vercel cannot deploy without authorization.

When clicking on Details, you or a member of the Vercel account or team linked to the GitHub repository will be prompted to authorize the deployment.

The page is shown when prompted to authorize a deployment of a PR from a fork.

Here we show you the keys used in the vercel.json and show easy access links to related code changes. So, you can decide whether this pull request is harmful or not.
Within this page, we'll list the information for what is to be authorized in order to be deployed. This includes which secrets will be used in the deployment, which commit is being deployed, and which pull request it comes from. From this information and the information from the pull request itself, reviewers can decide whether the code is safe to deploy or not. Each further commit will follow the same process so that there is no harm to your code in any circumstance.
If the code is safe to deploy, all it takes is a click on the AUTHORIZE button on that page and Vercel will deploy that pull request immediately.

A pull request made from a fork that was deployed and merged. This is from our own documentation repository which is open source!

Get Started

After our initial release, allowing external deployments was one of our most requested features. We're very happy today to bring this feature to you all.
Our priority is the security of your applications and data, and striking a great balance for the best possible user experience.
If you haven't used our Vercel for GitHub integration yet, get started.