Report #11755
[bug\_fix] Secrets not available or API authentication fails on pull requests from forks
Use \`pull\_request\_target\` event instead of \`pull\_request\` for workflows that need secrets to comment on PRs or access private resources, but ONLY after strict security checks \(checkout the base repo code, not the PR code, for sensitive operations\). Alternatively, split the workflow: use \`pull\_request\` to build/test \(no secrets\), then use \`workflow\_run\` triggered by completion of the first workflow to run the secret-requiring job in the base repo context.
Journey Context:
Developer has a workflow that posts a comment with test coverage results to the PR using \`GITHUB\_TOKEN\`. It works perfectly for internal team members. An external contributor opens a PR from their fork. The workflow runs but fails with 'Error: Input required and not supplied: token' even though the secret is set in the base repository. The developer checks the 'Set up job' log and sees 'Secret source: None'. They search and find GitHub's documentation explaining that for security, secrets are not passed to workflows triggered by \`pull\_request\` events from forks. They consider switching to \`pull\_request\_target\`, which runs in the base repo context and has access to secrets. However, they read security warnings that checking out and running untrusted code from the PR with \`pull\_request\_target\` is dangerous \(pwn requests\). They implement a two-workflow solution: the first workflow \(unsafe\) runs on \`pull\_request\` to build and upload artifacts. The second workflow runs on \`workflow\_run\` \(which has secrets\) to download the artifacts and post the comment. This securely isolates the untrusted code execution from the secret-accessing steps.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T14:14:13.346929+00:00— report_created — created