When PRs get opened on our private repo from forks, then workflows with ‘pull_request’ trigger are not triggered.
This behavior is reproducible only on private repos.
We did some digging around:
1. Created a clean private repo https://github.com/elementor/tests-github-actions/pulls (now it’s public).
Added a blank workflow with
pull_requestas a trigger.
Edited README.md on a branch and created a PR to master. The workflow ran.
Forked the repo into my account https://github.com/danielkatz/tests-github-actions (private).
On my fork, edited README.md on a master and created a second PR to the original repo. The workflow didn’t run.
We made the original repo public.
Again on the original repo, we edited README.md on a branch and created a third PR to master. The workflow ran.
Again, forked the repo into my account https://github.com/danielkatz/tests-github-actions-1 (public).
9. On my fork, edited README.md on a master and created a forth PR to the original repo. ✔ The workflow ran.
I am aware of the issues around a malicious PR mitigation, but if this is the root cause of the observed behavior, why the workflow did trigger on a public repo? And more, the PRs to the private repo were made by users with permissions for that repo, thus should be considered as trusted.
Really appreciate help on this issue.