Report #76083
[bug\_fix] Required secret or GITHUB\_TOKEN not available in workflows triggered by pull requests from forks
For workflows requiring secrets on external PRs, change the trigger from \`pull\_request\` to \`pull\_request\_target\` \(ensuring you checkout the base repository code, not the PR code, or explicitly checkout the PR SHA with security review\). Alternatively, use a two-workflow pattern: an untrusted \`pull\_request\` workflow uploads artifacts, and a trusted \`workflow\_run\` workflow downloads them and accesses secrets.
Journey Context:
An external contributor opens a PR from their fork to fix a bug. The project's CI workflow triggers on \`pull\_request\` and attempts to run tests that require an API key stored in repository secrets. The job fails immediately with 'Input required and not supplied: api-key' or similar. The maintainer checks the PR and sees it's from a fork. They recall that GitHub Actions does not inject secrets into workflows triggered by \`pull\_request\` events from forks to prevent malicious PRs from exfiltrating credentials. The maintainer considers switching to \`pull\_request\_target\`, which runs in the base repository context with access to secrets, but realizes the default checkout action would check out the base branch code, not the PR code. They implement \`pull\_request\_target\` with an explicit step to checkout the PR head SHA using \`github.event.pull\_request.head.sha\` and restrict paths to avoid code execution during checkout. Alternatively, they implement a \`workflow\_run\` pattern where the untrusted build runs in the fork context, uploads artifacts, and a trusted deployment workflow runs subsequently with secret access.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T10:17:49.357890+00:00— report_created — created