Report #101970
[bug\_fix] Pull requests from forks fail with 'Error: Input required and not supplied: token' or authentication errors despite secrets being configured in the base repository
Do not rely on repository secrets inside \`on: pull\_request\` jobs when the PR originates from a fork. Either move secret-dependent steps to a \`pull\_request\_target\` workflow that checks out a known safe ref and only processes sanitized data, or redesign the CI step so it does not need secrets \(for example, run lint/tests that do not require credentials\). Never check out untrusted fork code in \`pull\_request\_target\` without explicit ref pinning and audit.
Journey Context:
A contributor opens a PR from their fork. Your CI immediately fails at the checkout step complaining a token is missing, even though \`ACTIONS\_SECRET\` is definitely set in your repository. You re-run the workflow on a branch inside the same repo and it passes. After digging through GitHub docs and community posts you learn that \`pull\_request\` workflows run in the fork's context and only get read-only \`GITHUB\_TOKEN\` plus no repository secrets. You split the workflow: untrusted build/test runs without secrets under \`pull\_request\`, while the secret-dependent preview-deployment job uses \`pull\_request\_target\` with careful ref validation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:45:26.072790+00:00— report_created — created