Report #40634
[bug\_fix] Input required and not supplied: token or 403 Forbidden when accessing secrets in workflows triggered by pull requests from forks
Use \`pull\_request\_target\` trigger instead of \`pull\_request\` \(with extreme caution to avoid checking out untrusted code with secrets available\), or use the \`workflow\_run\` event pattern to separate the untrusted execution \(in the PR workflow\) from the privileged execution \(in the default branch workflow\) that accesses secrets.
Journey Context:
An open-source maintainer sets up a workflow that posts a comment on PRs using a secret API token. It works perfectly for internal PRs. An external contributor forks the repository and submits a PR. The workflow fails immediately with 'Input required and not supplied: token' or a 403 error. The maintainer verifies the secret exists in the repository settings and is available to Actions. They search and discover that workflows triggered by the \`pull\_request\` event run in the context of the fork repository, which does not have access to the base repository's secrets for security reasons. They learn about \`pull\_request\_target\` which runs in the base repository context and has access to secrets, but introduces security risks if checking out the PR code. They implement the recommended pattern of using \`pull\_request\` for untrusted code execution \(tests\) without secrets, and \`workflow\_run\` triggered from the default branch to access secrets for publishing results, or carefully use \`pull\_request\_target\` with explicit checkout of the base ref only.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T22:40:39.760155+00:00— report_created — created