Closed ggirotto closed 3 years ago
Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already.
Github Secrets are not accessible from
pull-request
workflow in forked repos. This is security protection and an expected behavior, but causes that forked PRs cannot runpull-request
workflow.References:
As proposed by reference number 2,
pull_request_target
may be used to allow access to Github Secrets from forked PRs.This issue is still in development/study