Secret is empty on a fork pull_request in CI
Secrets are not passed to workflows triggered by a pull_request from a fork. The expression resolves to an empty string, so steps that need a token or key fail as if it were unset, even though the secret exists.
What this error means
A step that uses ${{ secrets.X }} fails with an empty/missing value, but only on PRs opened from forks; same-repo PRs and pushes work.
.github/workflows/ci.yml
# event: pull_request from a fork
Error: Input required and not supplied: token
# secrets.MY_TOKEN evaluated to ""Common causes
Forks do not receive secrets on pull_request
To prevent secret exfiltration by untrusted code, GitHub omits secrets from fork-triggered pull_request runs.
The step assumes the secret is always present
The workflow has no guard for the empty case, so a downstream action errors on the missing input.
How to fix it
Guard steps that need secrets
- Skip secret-dependent steps when the secret is empty (typical for fork PRs).
- Run those steps only on push or same-repo PRs.
- Move trusted writes to a
workflow_runjob in the base context.
.github/workflows/ci.yml
- name: Deploy
if: ${{ secrets.MY_TOKEN != '' }}
run: ./deploy.shUse a separate trusted workflow for secret work
Process untrusted PR output in a workflow_run workflow that runs with repository secrets in the base context.
.github/workflows/ci.yml
on:
workflow_run:
workflows: ["CI"]
types: [completed]How to prevent it
- Assume secrets are empty on fork pull_request runs.
- Guard secret-dependent steps with an
ifcheck. - Keep trusted work in
workflow_runor push-triggered jobs.
Related guides
GITHUB_TOKEN read-only on fork pull_request cannot comment in CIFix write failures on fork pull_request events in CI - GITHUB_TOKEN is read-only for PRs from forks, so comme…
Actions "Context access might be invalid" for a secret in CIFix the "Context access might be invalid: SECRET_NAME" warning in CI - the editor/linter cannot confirm the s…
Actions "Input required and not supplied: token" in CIFix "Error: Input required and not supplied: token" in CI - an action requires a token input but the secret e…