Would we be allowed to have a repo-setting that allows secrets to be read in any PR. I’m thinking about forks.
Use case: private repo’s in a company/organization and the developers follow the fork-PR model. In this scenario, only approved developers have access to the private repo(s) and therefore we (the company) accepts the risks of malicious PR’s.
Cons: malicious PR’s could damage stuff.
pull_request_target currently offers this but it’s a really hard/poorly documented way to solve this issue.