Report #61249
[bug\_fix] Error: Input required and not supplied: token or 401/403 authentication failures when running workflows on pull requests from forked repositories.
Use a two-workflow pattern \(workflow\_run\) or pull\_request\_target with strict security precautions. The default behavior intentionally withholds secrets from fork PRs to prevent 'pwn requests'. The secure solution separates untrusted code execution \(no secrets\) from privileged operations \(with secrets triggered by workflow\_run\).
Journey Context:
Your workflow posts a comment with a preview URL using GITHUB\_TOKEN. It works for internal PRs, but external contributors' PRs fail with 'Error: Input required and not supplied: token' or '401 Unauthorized'. You check the secret in Settings and it's there. You add debug output and see the secret value is empty during the run. You research and find GitHub's security documentation explaining that workflows triggered by pull\_request from forks run in the fork's context without access to base repository secrets. You consider switching to pull\_request\_target, which runs in the base repo context with secrets, but realize this is dangerous because checking out the PR code with a privileged token allows arbitrary code execution \(the 'pwn request' vulnerability\). You refactor to a secure two-workflow architecture: Workflow A \(unsafe\) runs on pull\_request, performs linting/building without secrets, and uploads the build artifact and PR number. Workflow B \(safe\) triggers on workflow\_run \(completed\), checks out the base branch \(trusted code\), downloads the artifact from Workflow A, and posts the preview comment using the secure GITHUB\_TOKEN. This allows external contributions to be built safely while still posting privileged comments.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T09:17:37.157508+00:00— report_created — created