Problem
Forked PRs trigger the pull_request event, which runs with read-only permissions and NO access to repository secrets (BOT_PAT, API_KEY, etc.). This causes the E2E workflow to fail immediately during the secret validation step.
Proposed Solution
-
Switch triage workflow trigger to pull_request_target for the E2E test.
- This runs the workflow in the context of the base branch (main), granting access to secrets.
- We must explicitly check out the PR's code (
ref: ${{ github.event.pull_request.head.sha }}) to test the changes.
-
Add Manual Approval via Environment
- Use
environment: e2e-test in the job.
- Configure the environment in repo settings to require approval from maintainers.
- This allows maintainers to review the PR code before running the E2E test (and exposing secrets to it).
Problem
Forked PRs trigger the
pull_requestevent, which runs with read-only permissions and NO access to repository secrets (BOT_PAT,API_KEY, etc.). This causes the E2E workflow to fail immediately during the secret validation step.Proposed Solution
Switch triage workflow trigger to
pull_request_targetfor the E2E test.ref: ${{ github.event.pull_request.head.sha }}) to test the changes.Add Manual Approval via Environment
environment: e2e-testin the job.