diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs index 90bdc8ef9c9..929b9fa3a05 100644 --- a/docs/astro.config.mjs +++ b/docs/astro.config.mjs @@ -326,6 +326,7 @@ export default defineConfig({ { label: 'Triggers', link: '/reference/triggers/' }, { label: 'WASM Compilation', link: '/reference/wasm-compilation/' }, { label: 'Workflow Structure', link: '/reference/workflow-structure/' }, + { label: 'Fork Support', link: '/reference/fork-support/' }, ], }, { diff --git a/docs/src/content/docs/reference/fork-support.md b/docs/src/content/docs/reference/fork-support.md new file mode 100644 index 00000000000..397b59dea4b --- /dev/null +++ b/docs/src/content/docs/reference/fork-support.md @@ -0,0 +1,62 @@ +--- +title: Fork Support +description: How GitHub Agentic Workflows behaves in forked repositories and how to allow PRs from trusted forks. +sidebar: + order: 7 +--- + +GitHub Agentic Workflows has two distinct fork scenarios with different behaviors: **inbound pull requests from forks** and **running workflows inside a forked repository**. + +## Running workflows in a fork + +Agentic workflows do **not** run in forked repositories. When a workflow runs in a fork, all jobs skip automatically using the `if: ${{ !github.event.repository.fork }}` condition injected at compile time. + +This means: + +- Agent jobs are skipped — no AI execution occurs +- Maintenance and self-update jobs do not run +- No secrets from the upstream repository are available + +This is intentional. Forks lack the secrets and context required for agentic workflows to function correctly, and there is no safe way to run agents with partial configuration. + +> [!NOTE] +> To run agentic workflows in your own repository, fork the upstream repo and configure your own secrets — the workflows will then run in your copy of the repository, which is not a fork from GitHub Actions' perspective. + +## Inbound pull requests from forks + +When a pull request is opened from a fork to your repository, the default behavior is to **block the workflow from running** — the `pull_request` trigger includes a repository ID check that verifies the PR head branch comes from the same repository. + +To allow workflows to run for PRs from trusted fork repositories, use the `forks:` field: + +```aw wrap +--- +on: + pull_request: + types: [opened, synchronize] + forks: ["trusted-org/*"] +--- +``` + +### Fork patterns + +The `forks:` field accepts a string or a list of repository patterns: + +| Pattern | Matches | +|---|---| +| `"*"` | All forks (use with caution) | +| `"owner/*"` | All forks from a specific user or organization | +| `"owner/repo"` | A specific fork repository | + +```aw wrap +--- +on: + pull_request: + types: [opened, synchronize] + forks: + - "trusted-org/*" + - "partner/specific-fork" +--- +``` + +> [!WARNING] +> Allowing all forks (`"*"`) means any user who forks your repository can trigger agent execution. Workflows triggered from fork PRs run with the permissions configured in the workflow — review those permissions carefully before allowing untrusted forks.