repo sync

Octomerger · web-flow · commit bd85fe26ac7c · 2020-12-19T02:49:29.000+10:00
diff --git a/content/actions/reference/encrypted-secrets.md b/content/actions/reference/encrypted-secrets.md
@@ -118,7 +118,7 @@ You can check which access policies are being applied to a secret in your organi
 
 ### Using encrypted secrets in a workflow
 
-With the exception of `GITHUB_TOKEN`, secrets are not passed to the runner when a workflow is triggered from a forked repository.
+{% data reusables.actions.forked-secrets %}
 
 To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see "[Context and expression syntax for {% data variables.product.prodname_actions %}](/actions/reference/context-and-expression-syntax-for-github-actions)" and "[Workflow syntax for {% data variables.product.prodname_actions %}](/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions)."
 
diff --git a/content/actions/reference/events-that-trigger-workflows.md b/content/actions/reference/events-that-trigger-workflows.md
@@ -530,12 +530,6 @@ on:
     types: [assigned, opened, synchronize, reopened]
 ```
 
-{% note %}
-
-**Note:** In order to protect public repositories from malicious users, all pull request workflows raised from repository forks run with a read-only token and no access to secrets.
-
-{% endnote %}
-
 {% data reusables.developer-site.pull_request_forked_repos_link %}
 
 #### `pull_request_review`
@@ -582,17 +576,11 @@ on:
 
 #### `pull_request_target`
 
-{% warning %}
-
-**Warning:** The `pull_request_target` event is granted a read/write repository token and access to secrets, even from a fork. (The `pull_request` event does not grant read/write or secret access from a repository fork.) Do not check out and build or run untrusted code from pull request with this event.
-
-{% endwarning %}
-
-This event runs in the context of the base repository of the pull request, rather than in the merge commit as `pull_request` does. This is by design to prevent you from executing unsafe code that could alter your repository or steal any secrets you use in your workflow. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload. 
+This event runs in the context of the base of the pull request, rather than in the merge commit as the `pull_request` event does.  This prevents executing unsafe workflow code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow. This event allows you to do things like create workflows that label and comment on pull requests based on the contents of the event payload.
 
 {% warning %}
 
-**Warning**: When using the `pull_request_target` event, be aware that it runs in the context of the base repository. This means that the `GITHUB_TOKEN` has write access to the repository, and the cache shares the same scope as the base branch. As a result, do not run untrusted code in the same context, as there is a risk that it may access sensitive information and unexpectedly manipulate the workflow environment. In addition, to help prevent cache poisoning, do not save the cache if there is a possibility that the cache contents were altered.
+**Warning:** The `pull_request_target` event is granted a read/write repository token and can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch, and to help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered.
 
 {% endwarning %}
 
diff --git a/data/reusables/actions/forked-secrets.md b/data/reusables/actions/forked-secrets.md
@@ -0,0 +1 @@
+With the exception of `GITHUB_TOKEN`, secrets are not passed to the runner when a workflow is triggered from a forked repository.
diff --git a/data/reusables/developer-site/pull_request_forked_repos_link.md b/data/reusables/developer-site/pull_request_forked_repos_link.md
@@ -10,4 +10,4 @@ When you create a pull request from a forked repository to the base repository,
 
 Workflows don't run on forked repositories by default. You must enable GitHub Actions in the **Actions** tab of the forked repository.
 
-The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
+{% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+With the exception of `GITHUB_TOKEN`, secrets are not passed to the runner when a workflow is triggered from a forked repository.
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,4 @@ When you create a pull request from a forked repository to the base repository,`
`10`	`10`
`11`	`11`	`Workflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.`
`12`	`12`
`13`		-The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."
	`13`	+{% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)."