Cheat Sheet logoCheat Sheet Today
GitHub Actions: Secrets, Permissions, Security, and OIDC/Do not expose secrets to untrusted forks

Avoid unsafe patterns for public repo pull requests.

Back to sheetBrowse commands
Sign in to save
Section: OIDC and fork safety

Do not expose secrets to untrusted forks

yaml
yaml
on:
  pull_request:
Explanation

Be careful with workflows that run untrusted code from forks. Avoid combining privileged tokens or secrets with unreviewed pull request code paths.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing OIDC and fork safety
Enable OIDC token issuance
Grant `id-token: write` when using cloud federation.
OpenIn sheetyamlsame section
Configure AWS credentials via OIDC
Use the AWS credentials action without long-lived keys.
OpenIn sheetyamlsame section
Authenticate to Google Cloud with OIDC
Use workload identity federation for GCP.
OpenIn sheetyamlsame section
Mask a dynamic sensitive value
Hide a generated or fetched secret from logs.
OpenIn sheetbash1 tag match
Set least-privilege token permissions
Limit the default GITHUB_TOKEN scope.
OpenIn sheetyaml
Grant write access only where needed
Elevate token permissions on a specific job.
OpenIn sheetyaml