Report #16278
[bug\_fix] Secrets unavailable in pull requests from forks
Change the workflow trigger from \`on: pull\_request\` to \`on: pull\_request\_target\`, and explicitly check out the code from the pull request head using \`ref: $\{\{ github.event.pull\_request.head.sha \}\}\` only after performing security checks \(e.g., label approval\). Alternatively, use a two-workflow pattern with \`workflow\_run\` where the first workflow \(untrusted\) uploads artifacts and the second \(trusted, with secrets\) processes them. Root cause: GitHub Actions security model explicitly prevents secrets from being exposed to workflows triggered by \`pull\_request\` events from forks to prevent malicious exfiltration of secrets via malicious PR code.
Journey Context:
You have a workflow that runs on pull requests and uses an API key \(stored as \`secrets.API\_KEY\`\) to post test results to an external dashboard. It works perfectly for internal team members' branches. However, when an external contributor forks the repository and opens a pull request, the workflow fails with "Authentication failed: API key missing". You check the workflow logs and see that \`secrets.API\_KEY\` evaluates to an empty string. You verify the secret exists in Settings > Secrets and variables. You re-run the workflow as a maintainer and it still fails for that specific PR. You search the error and find GitHub documentation explaining that secrets are not passed to workflows triggered by pull requests from forks. You realize you need to use \`pull\_request\_target\` which runs in the context of the base repository where secrets are available. You carefully restructure the workflow to use \`pull\_request\_target\`, ensure it checks out the PR code only after verifying a label was added by a maintainer \(to prevent pwn requests\), and then the secret is accessible.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T02:18:21.507598+00:00— report_created — created