Problem
Fork PRs cannot access repository secrets in GitHub Actions (by design). This means the Tests (Online) job always fails for external contributions, since LINEAR_TEST_TOKEN is empty.
This blocks us from verifying that fork contributions actually work against the real Linear API before merging.
Solution
- Skip
test-online in ci.yml when no secret is available — removes the misleading red X on fork PRs
- Add a
pull_request_target workflow gated on a safe-to-test label that runs online tests with the secret
- Maintainer reviews the fork PR code, adds the
safe-to-test label, online tests run
- If new commits are pushed, the label should be removed and re-evaluated
Security model
pull_request_target reads the workflow YAML from main, not from the fork — the fork cannot modify the workflow to exfiltrate the secret- The fork's code is only checked out for build/test steps
- The label gate ensures a maintainer has reviewed the code before secrets are exposed
References
Problem
Fork PRs cannot access repository secrets in GitHub Actions (by design). This means the
Tests (Online)job always fails for external contributions, sinceLINEAR_TEST_TOKENis empty.This blocks us from verifying that fork contributions actually work against the real Linear API before merging.
Solution
test-onlineinci.ymlwhen no secret is available — removes the misleading red X on fork PRspull_request_targetworkflow gated on asafe-to-testlabel that runs online tests with the secretsafe-to-testlabel, online tests runSecurity model
pull_request_targetreads the workflow YAML frommain, not from the fork — the fork cannot modify the workflow to exfiltrate the secretReferences
--projectfilter onissues list#88 is the first fork PR hitting this: feat:--projectfilter onissues list#88