It really seems like this issue is not being given high enough priority. This is especially blocking for open-source community projects.
I know many companies are using GitHub with private repos for commercial teams, and in that scenario it often makes sense for them to work on a single repository. However, I always considered the user forks + pull request workflow to be the “pure” way to do development, as it treats all contributors the same, whether they be maintainers or from the community. This is how my team at Canonical work on all our projects.
It makes sense for any number of PR checks to need secrets - codecov.io being probably the most obvious, but also any number of other potential services like percy.io. For anyone at all working in the “pure” fork+PR workflow, this means PR checks with GitHub Actions are basically useless. And this would be especially true for large community projects, which should be the lifeblood of GitHub.
For this reason, I really think this is a very central issue for GitHub Actions. Not providing a way for any meaningful checks to work on PRs from forks harms specifically large, community, open source projects, and they are, as I say, the lifeblood of GitHub.
I think there are a number of feasible ways to get Actions with secrets working on PRs from forks:
Check if the user has write access to the parent project (meaning they have access to secrets), and if so allow access to the secrets
Run checks against the parent project with all the secrets as long as they haven’t changed (and make sure to provide clear feedback if an Action has been modified and so isn’t run or isn’t provided with secrets)
Allow an approval mechanism, whereby you can grant permission to certain forks to access central secrets
This is an important issue, which will block a very many people from fully adopting GitHub Actions, including our team, until it’s fixed.