Skip to content
Latchkey

GitHub Actions secret not available to fork pull_request

GitHub does not pass repository secrets to workflows triggered by pull_request from a fork. The secret is empty and the step that needs it fails.

What this error means

A step that reads a secret behaves as if it is unset when the run originated from a fork PR.

github-actions
Error: Input required and not supplied: token
# secrets.MY_TOKEN is empty for fork pull_request events

Common causes

Forks cannot read secrets

To prevent secret exfiltration, fork pull_request runs receive no repository secrets.

Workflow assumes a secret is always present

A step that requires the secret fails when it is empty on a fork run.

How to fix it

Split trusted work into pull_request_target carefully

  1. Run untrusted fork code without secrets on pull_request.
  2. Use a separate, restricted pull_request_target job for steps needing secrets, never checking out untrusted code into it.
.github/workflows/ci.yml
on:
  pull_request:
permissions:
  contents: read

How to prevent it

  • Design fork-facing CI to need no secrets.
  • Guard secret-dependent steps with an event or actor check.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →