I have a CI workflow that pushes intermediate build artifacts to GitHub Container Registry, so I have the access token as a secret.
When someone from outside my organization submits a PR, I’d like to review the content of their PR to ensure it doesn’t try to do anything malicious with the tokens. Then I’d approve it, allowing the CI run to access the secrets.
Environments seems like an almost perfect fit for this case, but:
- Can PRs from outside my organization have access to secrets once I have approved them, or is scrubbing them a hard restriction?
- Will I be able to avoid approving PRs from inside my organization?
I’ve tried to set this up, but my secrets are always null / missing for a PR from an outside contributor. It’s hard to test this myself with a single GitHub account…
This user has a similar (but more complicated?) situation, but no answers yet.
This user seemed to be using non-environment secrets; I have actually set secrets at both the repository and environment level, so I don’t think this is my problem.