Can I allow PRs to access secrets in an approved environment?

I have a CI workflow that pushes intermediate build artifacts to GitHub Container Registry, so I have the access token as a secret.

When someone from outside my organization submits a PR, I’d like to review the content of their PR to ensure it doesn’t try to do anything malicious with the tokens. Then I’d approve it, allowing the CI run to access the secrets.

Environments

Environments seems like an almost perfect fit for this case, but:

  1. Can PRs from outside my organization have access to secrets once I have approved them, or is scrubbing them a hard restriction?
  2. Will I be able to avoid approving PRs from inside my organization?

Attempt

I’ve tried to set this up, but my secrets are always null / missing for a PR from an outside contributor. It’s hard to test this myself with a single GitHub account…

Similar questions

Pull requests with their branches in forks will not have access to secrets in workflows by default for security reasons. That is, with a trigger pull_request. You can change that to pull_request_target if you want to hand out the secrets - however, this will no longer checkout the code of the head branch, but the code of the base branch. This is to ensure that no stranger can modify the workflow to leak secrets.

If you need the head branch code for the workflow run, then you could do an explicit checkout, but this is no longer safe - strangers will have access to your secrets and can modify the workflow to exfiltrate them. Also see the following article on this matter:

Regarding manual approval of workflow runs, take a look here: Access to secrets in PR from fork using environments and pull_request_target