Report #85156
[bug\_fix] Secrets are empty or 'Unexpected value' when accessed in a workflow triggered by workflow\_run
Ensure the workflow file exists on the default branch \(main/master\) with the secret references, and use \`secrets: inherit\` if calling reusable workflows. Root cause: Workflows triggered by \`workflow\_run\` always run in the context of the default branch \(main\), not the PR branch. If the workflow file only exists on the feature branch, GitHub uses the version from main \(which might be missing or different\). Additionally, secrets defined in environment protection rules on the PR branch are not accessible; they must be defined on the default branch context.
Journey Context:
You create a 'deploy.yml' that triggers on \`workflow\_run: workflows: \['CI'\]\` to safely handle deployment secrets without exposing them to pull\_request events from forks. You define \`DEPLOY\_KEY\` in the repository secrets. The workflow runs but the step using the secret shows empty output. You try \`echo $\{\{ secrets.DEPLOY\_KEY \}\} \| wc -c\` and get 0. You check the job context and see \`ref: refs/heads/main\` even though the triggering workflow was on a feature branch. You realize \`workflow\_run\` runs on the default branch's HEAD. Your workflow file only exists on the feature branch currently, so GitHub is actually using a stale version or failing silently. You merge the workflow file to main first, then re-run, and the secrets populate correctly because the workflow now executes in the context of the default branch where the secrets are actually defined.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T01:31:16.180322+00:00— report_created — created