Skip to content
Latchkey

How to Run a Workflow on a Fork Safely in GitHub Actions

Fork PRs run with a read-only token and no secrets; keep it that way and never run fork code with privileges.

Build and test fork code on the safe pull_request event (no secrets). If you need a privileged follow-up, use pull_request_target but never check out and run the fork's code there.

Steps

  • Run untrusted build/test on pull_request (no secrets exposed).
  • Keep any privileged step on pull_request_target checked out at the base ref.
  • Never execute fork-supplied scripts in the privileged context.

Workflow

.github/workflows/ci.yml
on: [pull_request]
permissions:
  contents: read
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm test

Gotchas

  • pull_request_target checks out the base by default and HAS secrets; running fork code there is the classic exploit.
  • Use environment protection rules to require approval before privileged jobs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →