2

My GitHub actions depend on some GitHub secrets that I set in my repo:

GitHub secrets

CI works when I push a commit:

https://github.com/paulrberg/prb-proxy/actions/runs/1958606928

But it fails when an external contributor makes a PR from their forked version of the repo:

https://github.com/paulrberg/prb-proxy/runs/4581619160

The execution fails because of this error:

Error: Please set MNEMONIC as an env variable

But the MNEOMNIC secret is there. Why doesn't it work when the GitHub Action is triggered by a PR made by an external contributor?

Paul Razvan Berg
  • 16,949
  • 9
  • 76
  • 114
  • 3
    From what I read [here](https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/) about public and private forked repos, you can set a `pull_request_target` to run the event against the workflow and code from the base of the pull request: _This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request._ However, it might not work using _push_ events. – GuiFalourd Mar 10 '22 at 13:00
  • 1
    Note that even `pull_request_target` is insecure in most cases and can compromise your secrets. But there are some ways to make it "more secure." See: [Github Actions: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) – q9f Jan 17 '23 at 13:06
  • Did you manage to solve the issue without having to use `pull_request_target`? – Sasha Shpota Aug 22 '23 at 09:25

0 Answers0