Report #86231
[bug\_fix] Secrets are empty or unavailable in pull\_request workflows triggered from forks
Use \`pull\_request\_target\` event instead of \`pull\_request\` \(ensuring the workflow file is from the base branch, not the PR branch, to prevent code injection\), or use \`workflow\_run\` triggered by the PR workflow to separate untrusted build \(no secrets\) from trusted deployment \(with secrets\). Root cause: GitHub Actions security model prevents secrets from being exposed to workflows triggered by pull\_request events from forks to prevent exfiltration of credentials via malicious PR code.
Journey Context:
Maintainer has a workflow that posts a comment on PRs using secrets.COMMENT\_TOKEN. It works for internal PRs but external contributors' PRs fail with 'Error: Input required and not supplied: token'. Maintainer checks the workflow and sees \`on: pull\_request\`. They search and find GitHub documentation explaining that secrets are not passed to fork PRs for security. They consider using \`pull\_request\_target\` but read warnings about 'pwn requests' \(vulnerabilities where checking out PR code with write token allows attackers to steal secrets\). They implement \`pull\_request\_target\` but ensure the checkout action uses \`ref: $\{\{ github.event.pull\_request.base.sha \}\}\` or they separate the untrusted build \(no secrets\) from the trusted comment posting \(with secrets\). External PRs now successfully trigger workflows that can access secrets safely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T03:19:35.527440+00:00— report_created — created