Report #24257
[bug\_fix] Secrets are empty or "Input required and not supplied: token" when workflows are triggered by pull requests from forks
Refactor the workflow to use the \`workflow\_run\` event pattern \(triggering a privileged workflow after the unprivileged one completes\) or use \`pull\_request\_target\` with strict path filtering and explicit checkout of the base SHA \(security-critical\). Root cause: GitHub Actions explicitly withholds all secrets from workflows triggered by \`pull\_request\` events originating from forked repositories to prevent malicious code in the fork from exfiltrating secrets.
Journey Context:
A maintainer sets up a workflow that posts a comment on PRs using a secret API key to link to a preview deployment. It works perfectly for internal team members. However, when an external contributor forks the repo and submits a PR, the workflow fails with "Error: Input required and not supplied: API\_KEY". The maintainer checks the workflow file and confirms \`secrets.API\_KEY\` is correctly referenced. They check the repository secrets and the secret exists. They search the error and find GitHub's security documentation explaining that secrets aren't passed to fork PRs to prevent "pwn requests". They initially consider switching to \`pull\_request\_target\` but learn about the severe security implications \(checkout of malicious code with token access\). They implement the \`workflow\_run\` pattern: the build job runs on \`pull\_request\` \(no secrets\), uploads the build artifact, then triggers a second workflow on \`workflow\_run\` \(which has access to secrets\) to download the artifact and post the comment. This securely isolates untrusted code from secrets.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T19:07:25.409454+00:00— report_created — created