Workflows: Use pull_request_target for cherry-pick workflow#75775
Merged
Workflows: Use pull_request_target for cherry-pick workflow#75775
Conversation
The cherry-pick workflow fails on fork PRs when triggered by the `labeled` event because `pull_request` events from forks don't have access to repository secrets. This causes the checkout step to fail with "Input required and not supplied: token" since `secrets.GUTENBERG_TOKEN` is empty. Switch to `pull_request_target` so the workflow runs in the context of the base repository with access to secrets. This is safe because the workflow only operates on already-merged commits. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
ellatrix
added
the
[Type] Automated Testing
Member
Author
|
Let's try this for #75746. |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
Author
|
Let's try it |
Member
Author
|
I think the reason it still doesn't work is that that PR is not based on this. Hopefully this fixes the issue for future forks. |
scruffian
pushed a commit
that referenced
this pull request
Feb 23, 2026
* Workflows: Use pull_request_target for cherry-pick workflow The cherry-pick workflow fails on fork PRs when triggered by the `labeled` event because `pull_request` events from forks don't have access to repository secrets. This causes the checkout step to fail with "Input required and not supplied: token" since `secrets.GUTENBERG_TOKEN` is empty. Switch to `pull_request_target` so the workflow runs in the context of the base repository with access to secrets. This is safe because the workflow only operates on already-merged commits. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add link to pull_request_target docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
labeledevent becausepull_requestevents from forks don't have access to repository secrets (GUTENBERG_TOKEN), causing the checkout step to fail withInput required and not supplied: token.pull_requesttopull_request_targetso the workflow runs in the context of the base repository with access to secrets.github.event.pull_request.merged == true).Fixes: https://github.com/WordPress/gutenberg/actions/runs/22221270711/job/64277381091
Test plan
Backport to WP 7.0 Beta/RClabel to a merged fork PR🤖 Generated with Claude Code