Trust model
ironrun inspects the GitHub Actions event context and decides automatically whether to inject secrets:
Fork PRs are blocked because GitHub Actions exposes repository secrets to jobs triggered by
pull_request from the same repo but not from forks. ironrun enforces the same boundary at the command level, ensuring a fork-authored workflow file cannot be modified to exfiltrate credentials.
Using the GitHub Action step
Thegeneralized-labs/ironrun@v0 action installs ironrun and runs a policy command in one step. Add it to any job:
Inputs
Outputs
Using outputs in later steps
Using the binary directly
If you prefer to install ironrun yourself and run it in a plainrun step, use go install:
ironrun.yml policy is read from the repository root by default.
Full workflow example
No special CI configuration is needed to enable the fork-PR protection. ironrun reads GitHub’s event context automatically and blocks untrusted runs with
ErrCIUntrusted. The protection is on by default.