Report #56555
[bug\_fix] Secrets show as empty strings or "Input required and not supplied" when workflows run on pull requests from forked repositories
Replace \`pull\_request\` trigger with \`pull\_request\_target\` \(with explicit checkout of the base repo SHA to prevent pwn requests\) or use a two-workflow pattern where an untrusted \`pull\_request\` workflow uploads artifacts and a trusted \`workflow\_run\` triggered on completion handles secrets in the base repository context.
Journey Context:
A contributor opens a PR from their fork to add a feature. The workflow needs to deploy a preview environment using cloud provider credentials stored as repository secrets. The workflow runs but fails immediately with "Secret not found" or the deployment step reports invalid credentials. You check the calling workflow, the secret is definitely set in the repository settings and works in regular workflow jobs. You try using env: at the job level, still empty. After researching, you realize that for pull\_request events triggered from forks, GitHub explicitly withholds all secrets \(including GITHUB\_TOKEN write permissions\) to prevent malicious PRs from exfiltrating secrets. The solution requires restructuring to use pull\_request\_target \(which runs in the base repo context with secrets\) with strict checkout hygiene to avoid executing untrusted code from the PR, or the recommended workflow\_run pattern where the untrusted code uploads artifacts, then a privileged workflow processes them in the secure base repository context.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T01:25:14.252707+00:00— report_created — created