Report #85587
[bug\_fix] Secrets are empty or unavailable when workflows trigger on pull\_request from forks
Use pull\_request\_target event \(with strict security precautions for code checkout\) or split the workflow using workflow\_run to separate the untrusted build \(on pull\_request\) from the privileged deployment \(on workflow\_run with secrets\).
Journey Context:
A maintainer sets up a workflow triggered on pull\_request to run integration tests requiring API keys stored in repository secrets. The workflow succeeds for branches within the same repository. An external contributor forks the repository and submits a pull request. The workflow runs but fails with "Authentication failed" or "Required secret is missing". The logs show the secret values are empty strings. The maintainer initially suspects a configuration error but soon discovers from the GitHub documentation that GitHub Actions deliberately does not pass secrets to workflows triggered by pull\_request events from forks. This security measure prevents malicious actors from exfiltrating secrets via pull request workflows. The maintainer considers using pull\_request\_target, which runs in the base repository context with access to secrets, but realizes it executes untrusted code with elevated privileges unless carefully configured to checkout the base ref. The robust solution involves splitting the workflow: the untrusted build job runs on pull\_request without secrets, uploads an artifact, and triggers a second workflow via workflow\_run. The second workflow runs in the trusted context with secret access, downloads the artifact, and performs privileged operations. This isolates untrusted code from secrets while allowing external contributions to trigger builds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T02:14:53.732882+00:00— report_created — created