I'm admin for a source repo for an Antora-based documentation site. I have a workflow that, when a PR is created or upon a push to the PR, builds the site and pushes it to the gh-pages branch, so you can see what the site looks like with the changes from the PR, before merging it to main. This works fine so long as contributions are made by someone with write access to the repo.
But when someone submits a PR from a fork of the repo, the workflow builds the site just fine, but it fails to commit to the gh-pages branch because the fork doesn't have the correct permissions. Here's the error message from the GitHub action log:
...
Commit successful. Pushing changes.
remote: Permission to example-org/example-docs.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/example-org/example-docs/': The requested URL returned error: 403
Error: Process completed with exit code 128.
A failed workflow, and the code of the workflow file, is here: https://github.com/starknet-io/starknet-docs/actions/runs/7885678276/workflow
We thought we had a fix with this PR: https://github.com/starknet-io/starknet-docs/pull/1097/files
But this introduced a security vulnerability that enabled a user to view the repo's secrets.
This issue vulnerability issue is mentioned here: How to pass a secret from a forked github repo to source repo