About workflow runs from public forks
Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's GitHub Actions workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes.
To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows.
Note: Workflows triggered by pull_request_target events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the pull_request_target event, see "Events that trigger workflows."
You can configure workflow approval requirements for a repository, organization, or enterprise.
Workflow runs that have been awaiting approval for more than 30 days are automatically deleted.
Approving workflow runs on a pull request from a public fork
Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval.
-
Under your repository name, click Pull requests.
-
In the list of pull requests, click the pull request you'd like to review.
-
On the pull request, click Files changed.
-
Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the
.github/workflows/directory that affect workflow files. -
If you are comfortable with running workflows on the pull request branch, return to the Conversation tab, and under "Workflow(s) awaiting approval", click Approve and run.
