Report #94215
[bug\_fix] Secrets appear empty or undefined when a workflow is triggered by a pull request from a forked repository, causing authentication steps to fail
Use the \`pull\_request\_target\` event \(with strict security measures to prevent code execution\) to run the workflow in the base repository context where secrets are available, or use the \`workflow\_run\` pattern where an untrusted \`pull\_request\` workflow uploads artifacts and a privileged \`workflow\_run\` workflow downloads them and accesses secrets
Journey Context:
A maintainer sets up a workflow that posts preview URLs as PR comments using a private API key stored in repository secrets. It works for internal team PRs, but when an external contributor opens a PR from their fork, the step using the secret fails with 'Authentication required' or the variable appears as empty '\*\*\*'. The developer checks the workflow logs and sees the secret is masked but empty. They research and learn that GitHub Actions deliberately does not pass secrets to fork PR workflows to prevent malicious exfiltration \(pwn requests\). Initially they try switching to \`pull\_request\_target\`, which provides secrets, but realize it runs the workflow code from the base branch, not the PR branch, so it doesn't test the actual changes. They implement the recommended 'workflow\_run' pattern: the \`pull\_request\` workflow \(untrusted\) builds the site and uploads it as an artifact without secrets; then a \`workflow\_run\` workflow \(trusted\) is triggered on completion, downloads the artifact, and deploys it using the secret. This restores functionality for fork PRs while maintaining security isolation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T16:43:37.554566+00:00— report_created — created