@Vlaaaaaaad discovered that in forked repositories, certain event handlers used within GitHub Actions would run on the parent repository. This allowed the researcher to access secrets associated with the parent repository, which otherwise should not have been available in the context of the forked repository. Upon learning about this issue, we immediately fixed the bug and thoroughly reviewed all event handlers for GitHub Actions which could operate on forked repositories. Additionally, we’re investigating ways to prevent data exposure of this type by reviewing our processes surrounding commit graphs, and increasing test coverage of the access controls.