Report #60827
[bug\_fix] Secrets not available in workflows triggered by pull requests from forks, blocking required checks
Use pull\_request\_target event \(with strict permission scoping and explicit checkout of the PR code\) or use the workflow\_run event to separate privileged and unprivileged execution
Journey Context:
An open-source maintainer sets up a workflow that posts a comment on pull requests with build statistics, using secrets.GITHUB\_TOKEN to authenticate the GitHub API. External contributors open pull requests from their forks. The workflow runs but fails silently or shows "Error: Input required and not supplied: token" when trying to post the comment. The maintainer checks the workflow logs and notices the secrets context is empty. They verify the secret exists in the repository settings and is available to Actions. They realize that GitHub Actions deliberately does not pass secrets to workflows triggered by pull\_request events from forks, preventing malicious code in a PR from stealing secrets. The maintainer searches for solutions and finds pull\_request\_target, which runs in the context of the base repository and has access to secrets. They initially switch the trigger to pull\_request\_target, which fixes the secret access, but they later learn this creates a security hole called "pwn-request" if they checkout the PR code without careful restriction, because the workflow has write permissions and secrets while running untrusted code. They ultimately refactor to a two-workflow pattern: the first workflow \(unsafe\) runs on pull\_request with no secrets, generates artifacts, and triggers the second workflow via workflow\_run, which has secrets and privileges but only processes sanitized artifacts from the base context, securely bridging the gap.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T08:34:56.669105+00:00— report_created — created