Report #6448
[bug\_fix] Secret environment variables are empty or 'Input required and not supplied' when workflows are triggered by pull requests from forks
Use the \`pull\_request\_target\` trigger \(with strict security hardening to prevent pwn requests\) or the \`workflow\_run\` pattern where the unprivileged \`pull\_request\` workflow uploads artifacts and a privileged \`workflow\_run\` workflow downloads them and accesses secrets. Alternatively, use Environment protection rules with required reviewers for sensitive deployments.
Journey Context:
An external contributor opened a pull request from their fork to fix a bug. The CI workflow triggered but immediately failed during the 'Run tests' step where it attempted to authenticate with a third-party service using an API key stored in repository secrets. The error indicated the environment variable was empty. The maintainer verified the secret existed in the repository settings and re-ran the job, but it failed again. After investigating, the maintainer realized that GitHub Actions does not pass secrets to workflows triggered by \`pull\_request\` events from forks as a security measure to prevent malicious code in forks from exfiltrating secrets. The maintainer initially considered switching to \`pull\_request\_target\` but learned this runs the workflow in the base repository context with full secrets access, which is dangerous if checking out untrusted code. The established solution was to refactor the workflow: the \`pull\_request\` workflow now runs linting and build \(unprivileged\), uploads artifacts, and a second workflow triggered by \`workflow\_run\` downloads those artifacts, runs tests requiring secrets in the privileged context, and posts results back to the PR.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T00:10:19.887254+00:00— report_created — created