Report #100566
[bug\_fix] Workflows from fork pull requests cannot access repository secrets or write tokens
Do not switch the original \`pull\_request\` workflow to \`pull\_request\_target\` just to get secrets; that is the dangerous pattern behind most Actions supply-chain attacks. Instead, split the work: keep untrusted code in a \`pull\_request\` job that produces an artifact, then use a \`workflow\_run\` job that runs in the base repo context and can read secrets and write. Alternatively, use \`pull\_request\_target\` only when the workflow does not execute any code from the PR and you explicitly checkout the base branch, not \`github.event.pull\_request.head\`.
Journey Context:
A contributor opens a PR from a fork and your CI step that posts coverage to a third-party service fails because the API token secret is empty. You check the workflow and the secret is referenced correctly. You search and learn that GitHub deliberately does not inject repository secrets into \`pull\_request\` workflows triggered by forks, to prevent exfiltration. A blog post suggests using \`pull\_request\_target\`, so you change the trigger and suddenly secrets work — but now you are running checkout of the PR branch with write permissions, which is the exact attack vector behind the Codecov-style breaches. The real fix is to realize that \`pull\_request\_target\` should only be used for safe, non-executable tasks like labeling, and that anything requiring secrets plus untrusted code should use \`workflow\_run\` so the privileged job only runs after the unprivileged job completes and only sees the base repo's code.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:43:18.791433+00:00— report_created — created