Skip to content

CI: Fork PRs always fail Vercel deployment check, blocking external contributions #2976

New issue
New issue
Open
Open
CI: Fork PRs always fail Vercel deployment check, blocking external contributions#2976
Assignees
andrewm4894
@andrewm4894

Description

@andrewm4894
andrewm4894
opened on Jan 27, 2026

Problem

External contributors who open PRs from forks will always see a failing Vercel – posthog-nextjs-config CI check. Vercel deliberately withholds environment variables (like ENVIRONMENT_ID) from fork builds as a security measure to prevent secret exfiltration.

This creates a poor contributor experience:

  1. Contributor confusion — They see a red X and may think their code is broken, when it's actually a CI infrastructure limitation they can't fix
  2. Blocked merging — If the Vercel check is required in branch protection, the PR can't be merged even though all actual code quality checks pass
  3. Extra maintainer overhead — We have to manually re-push the branch to the main repo and open a new PR to get CI to pass

The call-flags-project / add-to-project-board check also fails on fork PRs due to GitHub permissions, adding to the noise.

Example

PR #2510 from @Tehnix had all code checks passing (tests, lint, TypeScript, Playwright, etc.) but couldn't be merged due to the Vercel check failing with:

Build error occurred
[Error: Environment ID not provided. If you are using turbo, make sure to add env variables to your turbo config]

We had to push the branch to the main repo and open #2975 to work around it.

Possible solutions

A few approaches other repos use — not mutually exclusive:

  1. Make the Vercel check non-required in branch protection rules. It still runs and shows a warning, but doesn't block merging.
  2. Use a "safe to test" label workflow — a maintainer reviews the fork PR, adds a label, and that triggers a re-run from the main repo context with secrets available.
  3. Document it — add a note in CONTRIBUTING.md explaining that the Vercel preview check will fail on fork PRs and that's expected.
  4. Split required vs informational checks — only mark code quality checks (tests, lint, build, TypeScript) as required. Keep Vercel and project board checks as optional/informational.

Option 4 is probably the least friction while keeping security intact. The Vercel preview is useful for review but shouldn't gate merging.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions