Report #51426
[bug\_fix] Secret not found or empty \(secrets.MY\_SECRET\) when running pull\_request workflow from forked repository
Switch trigger from pull\_request to pull\_request\_target which runs in the base repository context with access to secrets \(with security review for code checkout\), or use workflow\_run trigger to handle untrusted code separately from secret access.
Journey Context:
A repository maintainer sets up a workflow that runs tests requiring an API key stored in repository secrets. It works perfectly when they push to a branch in the repo. Then an external contributor forks the repo and submits a PR. The workflow triggers but fails immediately with the API key showing as empty or undefined. The developer checks the calling workflow and confirms secrets.MY\_API\_KEY is accessible there. They try passing it via env in the calling workflow, but the value remains empty in the fork PR context. They search for 'GitHub Actions secrets empty in pull request' and find documentation explaining that for security reasons, workflows triggered by pull\_request events from forked repositories do not have access to repository secrets, preventing malicious PRs from exfiltrating sensitive data. The developer learns they must use the pull\_request\_target event, which runs the workflow in the context of the base repository \(where secrets are available\) rather than the merge commit from the fork. They restructure the workflow to use pull\_request\_target, carefully considering security implications by avoiding checkout of untrusted code with the base repository token, or alternatively adopt a two-workflow pattern using workflow\_run where the initial untrusted workflow uploads artifacts and a trusted secondary workflow with access to secrets processes them.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T16:48:43.074050+00:00— report_created — created