Replies: 4 comments
-
|
GitHub intentionally does not expose repository secrets to workflows triggered from forked repositories. There is no safe way to directly pass secrets to fork-based The 100% correct and secure pattern is to separate untrusted code execution from secret usage. 🔒 Secure Patterns1. Use
|
Beta Was this translation helpful? Give feedback.
This comment was marked as low quality.
This comment was marked as low quality.
-
|
The secure pattern here is really about separating untrusted execution from privileged authority, not only about where the secret string is stored. Fork PRs are the obvious case, but the deeper rule is: low-trust code and high-trust credentials should not share the same execution boundary unless there is an explicit, reviewable handoff.\n\nThat is why |
Beta Was this translation helpful? Give feedback.
-
|
Hi @bright8r, We currently do not allow self-promotion, advertising, or solicitation in Community Discussions. We want to make sure there is space for users to ask questions without overwhelming them with other conversations. Thank you for helping us maintain a productive and tidy community for all our members. For additional guidance, please review our Community on Discussions Code of Conduct and GitHub’s Terms of Service. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Question
💬 Feature/Topic Area
ARC (Actions Runner Controller)
Discussion Details
Hi, I'm Kiran, and I work at Bright Steel Centre. I noticed that secrets are not accessible when workflows are triggered from forked repositories. Is there a secure way to handle secrets for external contributions?
Beta Was this translation helpful? Give feedback.
All reactions