GitHub Actions secret not available to fork pull_request
GitHub does not pass repository secrets to workflows triggered by pull_request from a fork. The secret is empty and the step that needs it fails.
What this error means
A step that reads a secret behaves as if it is unset when the run originated from a fork PR.
github-actions
Error: Input required and not supplied: token
# secrets.MY_TOKEN is empty for fork pull_request eventsCommon causes
Forks cannot read secrets
To prevent secret exfiltration, fork pull_request runs receive no repository secrets.
Workflow assumes a secret is always present
A step that requires the secret fails when it is empty on a fork run.
How to fix it
Split trusted work into pull_request_target carefully
- Run untrusted fork code without secrets on pull_request.
- Use a separate, restricted pull_request_target job for steps needing secrets, never checking out untrusted code into it.
.github/workflows/ci.yml
on:
pull_request:
permissions:
contents: readHow to prevent it
- Design fork-facing CI to need no secrets.
- Guard secret-dependent steps with an event or actor check.
Related guides
GitHub Actions pull_request_target checks out untrusted fork codeFix the GitHub Actions security pitfall where pull_request_target runs with secrets but checking out the PR h…
GitHub Actions "Input required and not supplied: token"Fix the GitHub Actions error "Input required and not supplied: token" caused by an action that needs a token…
GitHub Actions 403 while pushing with GITHUB_TOKENFix the GitHub Actions 403 error when pushing with the GITHUB_TOKEN, caused by a missing contents write scope…