GHA workflows don't show 'Approve and run' button for fork PRs

[jaredlockhart]

Problem

When external contributors submit PRs from forks, the GitHub Actions workflows don't show the "Approve and run" button that repo maintainers need to click to allow the workflows to run. This means fork PRs get no CI feedback.

Investigation needed

1. Check the repo's Actions settings under Settings > Actions > General > "Fork pull request workflows from outside collaborators" — it should be set to "Require approval for first-time contributors" or "Require approval for all outside collaborators"
2. The setup-cached-build composite action requires GCP secrets (GCPV2_WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER) via vars.* — these aren't available to fork PRs. The workflow may need a fallback path that skips caching when secrets aren't available.
3. Consider whether pull_request_target is needed instead of pull_request for some workflows — pull_request_target runs in the context of the base branch and has access to secrets, but requires careful handling to avoid security issues.

Affected workflows

All GHA workflows that use setup-cached-build:

• check-experimenter.yml
• check-cirrus.yml
• check-feature-manifests.yml
• check-schemas.yml
• integration-nimbus-ui.yml (new)
• integration-remote-settings-launch.yml (new)
• integration-remote-settings-all.yml (new)
• integration-desktop-enrollment.yml (new)
• integration-desktop-targeting.yml (new)

Related

Part of the CircleCI to GHA migration (EXP-6320). CircleCI handled fork PRs automatically.

┆Issue is synchronized with this Jira Task

[jaredlockhart]

Finding

Per GitHub community discussion #119459, the "Approve and run" button only appears for workflows triggered by pull_request, not push. Since fork PRs don't create a push event on the upstream repo, workflows with only on: push won't run at all.

Our workflows already have both push and pull_request triggers, so the button should appear. The issue is likely one of:

1. Repo Actions setting — Settings → Actions → General → "Fork pull request workflows from outside collaborators" may need to be set to "Require approval for first-time contributors" instead of a more restrictive option.

2. Organization-level override — The mozilla org may enforce an Actions policy at the org level that overrides repo settings. Check org settings.

3. The setup-cached-build action needs GCP secrets — vars.GCPV2_WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER isn't available to fork PRs. The composite action may need a fallback path that skips caching when secrets are unavailable, so the workflow doesn't fail immediately on fork PRs.

Action needed: A repo admin should check the repo and org Actions settings for fork workflow approval policies.

Sources:

• GitHub Docs: Approving workflow runs from forks
• GitHub Docs: Managing Actions settings
• Discussion #119459: No "Approve and run" button