How Do I Allow Access to Secret Tokens to Workflows Triggered by PRs From Forks?

We’ve a community maintained project in an organisation & the it’s deployed on Netlify using GitHub Actions. Interested contributors are free to fork the repo & share their PRs with us. And in ideal scenario, we would like to configure the workflow to:

  1. Build the website in context to the contents of the PR (which works well & we’ve not faced any issues yet).
  2. Deploy the built static assets to Netlify to view a preview version of the PR (which fails due to an authentication issue since the secret tokens are no longer available to the workflows of the PRs from forked repos).

I’m aware similar discussions exists at:

… but none of the threads has any definitive answer to the solution of the problem.

So, I was wondering are we missing out on something? Is it possible to keep using GH Action for our requirements? If so, how do we do it?

Short version: Don’t do the deployment in the workflow triggered by the pull_request event, instead you use a workflow_run event that’s triggered by the first workflow completing. Make sure not to run anything from the PR in that second workflow.

The how and why and possible pitfalls are explained here: