Skip to content
Latchkey

How to Prevent Secret Leaks on Fork Pull Requests in GitHub Actions

Fork PRs on the pull_request event get a read-only token and no secrets; the danger is pull_request_target, which has secrets and must never run fork code.

Run build and test for forks on pull_request (no secrets). Reserve pull_request_target for trusted, code-free automation and always check out the base ref there.

Steps

  • Keep untrusted build/test on the pull_request event.
  • Use pull_request_target only for trusted tasks like labeling.
  • In a privileged context, never check out and execute the PR head.

Workflow

.github/workflows/ci.yml
name: pr
on:
  pull_request:        # forks: read-only token, no secrets
permissions:
  contents: read
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm test   # safe: no secrets here

Gotchas

  • pull_request_target runs in the base context with full secrets; checking out and running fork code there is the classic exploit.
  • If you must build fork code with secrets, gate it behind an environment that requires manual approval.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →