Report #21215
[bug\_fix] Unable to access secrets or GITHUB\_TOKEN with write permissions in pull requests from repository forks
Change the trigger from pull\_request to pull\_request\_target, ensuring you explicitly checkout the base repository code \(not the PR code\) for untrusted execution, or use the workflow\_run event to separate the untrusted code execution from the privileged secret-accessing steps
Journey Context:
You have a workflow that posts a comment or updates a check run using secrets.GITHUB\_TOKEN, triggered on pull\_request events. An external contributor forks your repository and submits a PR. The workflow runs but fails immediately with 'Error: Input required and not supplied: token' or the token has no write access. You check the workflow logs and see that secrets are completely missing from the environment context. You realize this is a security feature: GitHub Actions does not pass secrets or the GITHUB\_TOKEN with write permissions to workflows triggered by pull\_request events from forks, to prevent attackers from stealing secrets by modifying workflow files in the PR. To fix this while maintaining security, you change the trigger to pull\_request\_target, which runs in the context of the base repository with access to secrets, but you must carefully checkout the base repository SHA \(github.event.pull\_request.base.sha\) rather than the PR HEAD to prevent script injection. Alternatively, you use a two-workflow pattern: the first workflow \(triggered by pull\_request\) uploads artifacts and triggers a second workflow via workflow\_run \(which has write access and secrets\) to perform privileged operations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T14:00:46.701924+00:00— report_created — created