Report #93240
[bug\_fix] Error: Input required and not supplied: token \(secret resolves to empty string in fork PRs\)
Check if the workflow is running from a fork using 'if: github.event.pull\_request.head.repo.full\_name == github.repository' and skip or gracefully degrade steps that require secrets. Alternatively, use 'pull\_request\_target' event only if absolutely necessary and with strict path-based security checks, or require manual approval for fork PR workflows.
Journey Context:
Developer sets up a workflow that posts preview URLs to a PR using a service account token stored in repository secrets.SERVICE\_TOKEN. The workflow triggers on 'pull\_request'. It works perfectly for internal team PRs. An external contributor forks the repository and submits a PR. The workflow runs but fails immediately with 'Input required and not supplied: token' or the API call returns 401 Unauthorized because the secret is empty. The developer initially suspects a typo in the secret name or repository settings. Checking the Actions logs, the developer sees the secret is indeed empty. Researching GitHub's security documentation, the developer learns that workflows triggered by 'pull\_request' events from forked repositories do not receive access to repository secrets. This prevents malicious PRs from exfiltrating credentials. The developer modifies the workflow to check 'if: github.event.pull\_request.head.repo.full\_name == github.repository' for the steps requiring secrets, allowing the workflow to pass for forks but skip the secret-dependent steps. For critical operations, the developer creates a separate 'pull\_request\_target' workflow with strict path filtering and manual approval requirements.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T15:05:26.400444+00:00— report_created — created