How to Run a Workflow on a Fork Safely in GitHub Actions
Fork PRs run with a read-only token and no secrets; keep it that way and never run fork code with privileges.
Build and test fork code on the safe pull_request event (no secrets). If you need a privileged follow-up, use pull_request_target but never check out and run the fork's code there.
Steps
- Run untrusted build/test on
pull_request(no secrets exposed). - Keep any privileged step on
pull_request_targetchecked out at the base ref. - Never execute fork-supplied scripts in the privileged context.
Workflow
.github/workflows/ci.yml
on: [pull_request]
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci && npm testGotchas
pull_request_targetchecks out the base by default and HAS secrets; running fork code there is the classic exploit.- Use environment protection rules to require approval before privileged jobs.
Related guides
How to Comment on a Pull Request From a Workflow in GitHub ActionsPost a comment on a pull request from a GitHub Actions workflow using actions/github-script and the GITHUB_TO…
How to Require Manual Approval in GitHub ActionsGate a GitHub Actions deploy behind human sign-off using a protected environment with required reviewers, pau…