Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's GitHub Actions workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes.
To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows.
Note: Workflows triggered by
pull_request_target events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings.
Workflow runs that have been awaiting approval for more than 30 days are automatically deleted.
Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
Under your repository name, click Pull requests.
In the list of pull requests, click the pull request you'd like to review.
On the pull request, click Files changed.
Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the
.github/workflows/directory that affect workflow files.
If you are comfortable with running workflows on the pull request branch, return to the Conversation tab, and under "Workflow(s) awaiting approval", click Approve and run.