Skip to content

Fix GitHub workflow secret access from forked PRs #4856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
netmindz merged 2 commits into from
Aug 20, 2025
Merged

Fix GitHub workflow secret access from forked PRs #4856

netmindz merged 2 commits into from
Aug 20, 2025

Conversation

Copy link
Contributor

Copilot AI commented Aug 20, 2025
edited
Loading

The .github/workflows/pr-merge.yaml workflow was failing to access secrets.DISCORD_WEBHOOK_BETA_TESTERS when triggered by pull requests from forked repositories. This is due to GitHub's security restriction that prevents pull_request events from forks accessing repository secrets.

Changes Made

1. Changed trigger from pull_request to pull_request_target

  • Enables secret access by running the workflow in the target repository context instead of the fork context
  • Allows secrets.DISCORD_WEBHOOK_BETA_TESTERS to be accessible for Discord notifications

2. Added proper merge condition

  • Added if: github.event.pull_request.merged == true at the job level
  • Ensures Discord notifications are only sent for actually merged PRs, not just closed ones
  • This condition was previously commented out but is now properly implemented

3. Removed unnecessary checkout step

  • Eliminated the "Checkout code" step that was marked as dangerous in the original workflow
  • Since we only need to send a Discord notification, accessing the PR code is unnecessary
  • Improves security by removing potential attack vector

4. Maintained security measures

  • All existing user permission checks remain intact
  • Still verifies the triggering user has write permissions before proceeding
  • Workflow continues to be secure against malicious actors

Security Considerations

Using pull_request_target is safe in this context because:

  • We removed the dangerous checkout step
  • All permission verification remains in place
  • The workflow only sends notifications and doesn't execute any code from the PR

The workflow will now successfully notify Discord when PRs from forked repositories are merged while maintaining proper security controls.

Fixes #4855.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copy link
Contributor Author

Copilot AI commented Aug 20, 2025

@netmindz 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot AI changed the title [WIP] .github/workflows/pr-merge.yaml fails to read secrets.DISCORD_WEBHOOK_BETA_TESTERS Fix GitHub workflow secret access from forked PRs Aug 20, 2025
Copilot AI requested a review from netmindz August 20, 2025 23:00
@netmindz netmindz marked this pull request as ready for review August 20, 2025 23:22
@netmindz netmindz merged commit 1fb9eb7 into main Aug 20, 2025
20 checks passed
@netmindz netmindz deleted the copilot/fix-4855 branch August 20, 2025 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@netmindz netmindz Awaiting requested review from netmindz

Assignees

@netmindz netmindz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

.github/workflows/pr-merge.yaml fails to read secrets.DISCORD_WEBHOOK_BETA_TESTERS

2 participants

@netmindz