Report #16632
[bug\_fix] Secrets appear empty or authentication fails when running workflows triggered by pull requests from forks
Do not use \`pull\_request\` trigger for workflows requiring secrets from forks. Instead, use \`workflow\_run\` triggered by the completion of a 'pr-check' workflow that has no secrets, or use \`pull\_request\_target\` with extreme caution \(only after checking out the base repo code, not the PR code, and never running untrusted code with secrets\). The root cause is GitHub's security model that prevents exfiltration of repository secrets by arbitrary code submitted via forks.
Journey Context:
A maintainer notices that CI passes on branches within the repository but fails on external contributor PRs with 'Authentication failed' or empty environment variables where secrets should be. The developer first suspects a typo in the secret name, but \`repo\` scope secrets are confirmed present in Settings. They add debug logging \(carefully masking\) and see the value is literally empty string. Searching reveals StackOverflow answers claiming 'secrets don't work on forks' but without explanation. Diving into GitHub Docs Security Guides, the developer learns that \`pull\_request\` workflows from forks run in the fork's context, which has no access to the base repo's secrets, preventing malicious PRs from stealing tokens. The realization hits that the workflow architecture must change: the unsafe testing job must be split from the reporting job that needs secrets, using \`workflow\_run\` to bridge them with the 'double workflow' pattern.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T03:12:55.667412+00:00— report_created — created