Describe the bug
The UI Development Kit AWS deployment workflow runs on every pull_request, but the job depends on AWS credentials and multiple repository secrets (JWT_SECRET, TENANT_URL, CLIENT_ID, CLIENT_SECRET, REDIRECT_URI, OAUTH_SCOPES, AWS_ROLE_ARN).
Evidence
File: .github/workflows/aws-deploy.yml
The workflow is triggered by:
on:
pull_request:
branches:
- mainThe deploy and cleanup jobs use AWS credential configuration and several secrets.* values.
GitHub's documentation says that, with the exception of GITHUB_TOKEN, secrets are not passed to workflows triggered from forked repositories.
Expected behavior
Either:
- forked pull requests should be excluded from the preview deployment path, or
- the workflow should be split so contributor-safe validation runs separately from privileged deployment.
Actual behavior
The preview deployment workflow is configured to run in PR contexts where the required secrets are not
Describe the bug
The UI Development Kit AWS deployment workflow runs on every
pull_request, but the job depends on AWS credentials and multiple repository secrets (JWT_SECRET,TENANT_URL,CLIENT_ID,CLIENT_SECRET,REDIRECT_URI,OAUTH_SCOPES,AWS_ROLE_ARN).Evidence
File:
.github/workflows/aws-deploy.ymlThe workflow is triggered by:
The deploy and cleanup jobs use AWS credential configuration and several
secrets.*values.GitHub's documentation says that, with the exception of
GITHUB_TOKEN, secrets are not passed to workflows triggered from forked repositories.Expected behavior
Either:
Actual behavior
The preview deployment workflow is configured to run in PR contexts where the required secrets are not