Our actions are failing for external pull requests but work fine when running locally

We’re seeing a really odd issue, where Github actions results in a different outcome depending on whether the very same code is being run from an external PR as opposed to an internal one.

For example, this PR: Allow sentry-trace header in CORS restrictions by tm1000 · Pull Request #449 · Flagsmith/flagsmith · GitHub fails our end to end tests, but the same code that I made a PR from directly within the repo improvement/sentry cors by dabeeeenster · Pull Request #458 · Flagsmith/flagsmith · GitHub is passing.

I can’t explain this - is there something I’m missing RE differences between these action environments?

I don’t immediately see what’s wrong here, but the pull_request event does not run in the same context on external PRs. You should probably use pull_request_target (docs) for pull requests from forked repos. Be aware of the security warning provided with those docs.

Hope it helps.

A potential difference is secrets: runs for PRs coming from forks do not get access to secrets (other than GITHUB_TOKEN), and your workflow seems to be using one…

1 Like

Thanks for the answers here - just to say if anyone finds this thread - it was due to these external PRs not having access to our repo secrets. Thanks for the replies!