Forked PRs doesn't have access to Github Secrets

[ggirotto]

Github Secrets are not accessible from pull-request workflow in forked repos. This is security protection and an expected behavior, but causes that forked PRs cannot run pull-request workflow.

References:

• https://docs.github.com/en/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow
• https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

As proposed by reference number 2, pull_request_target may be used to allow access to Github Secrets from forked PRs.

This issue is still in development/study

[ggirotto]

Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already.