Replies: 2 comments 1 reply
-
I have this issue as well. I don't have a solution that I like, but I have one that works. You can use a To make this safe, run any job that uses secrets and is trigged by This blocks execution of those jobs until a repo maintainer inspects the code, verifies it isn't going to do anything malicious with the secrets, then "approves" the environment deployment. Then the jobs will run under the fork PR's code with access to your secret. My biggest gripes about this:
But, at the end of the day with this method you are able to run jobs on forks with secrets safely. I would love some better UX to allow contributions from forks when a project has secrets it needs to inject into its CI checks in PRs. |
Beta Was this translation helpful? Give feedback.
-
Definitively agree, I'm encountering the same exact issue : whenever an external user opens a PR from a fork, our workflow that runs checks fails because it does not have access to secrets 😞 I'm still really surprised that such a feature, which looks like a pretty common thing for open-source projects, is not supported. After hours trying to find some solutions, I more or less concluded that the best solution is indeed what @artis3n suggests, so thanks ! Still, it would be much better if GitHub could provide a proper solution for this. |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Product Feedback
Body
I saw see in the documentation for Using encrypted secrets in a workflow that "With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository."
This is a problem for us, as we need to inject an API key to run tests on PRs. The API key is stored in encrypted secrets, but if the test workflows cannot access the secret when run from a forked PR (i.e. any open source contributor who is not an admin), then we cannot ensure that the PRs pass tests before merging them.
The documentation linked above does not offer a workaround or alternative approach. Is support for encrypted secrets in workflows on fork PRs a feature request that you have on your backlog or do I need to find an alternative method for securely injecting API keys into open source test workflows?
Example
https://github.com/googlemaps/android-maps-compose/blob/main/.github/workflows/instrumentation-test.yml#L48 is meant to access a key from encrypted secrets. This test workflow runs as a check on every incoming PR.
You can see in the run history it passes on
main
and on branches, but fails on forks because the secret is returned as null.Beta Was this translation helpful? Give feedback.
All reactions