GitHub Actions for Open Source Projects

You'll need

• GitHub Actions Setup complete
• your repository accepts pull requests from forks

You'll have

• reports from fork PRs uploading to Flakiness.io via a trusted workflow running in the base repository.

Why fork PRs are different

GitHub Actions does not expose repository secrets or OIDC tokens to workflows triggered by pull_request events from forks. This is a security measure — it prevents a malicious fork from printing your secrets to the workflow log.

As a result, the reporter running in the fork’s PR workflow has no way to authenticate uploads. You need a second, trusted workflow in the base repository that picks up the fork’s test results after the fact.

The two-workflow pattern

1. The PR workflow runs tests and uploads the report folder as a GitHub artifact. No secrets needed.
2. A trusted workflow in the base repository, triggered by workflow_run, downloads that artifact and uploads it to Flakiness.io using GitHub OIDC (the base-repo context has id-token: write access).

Step 1 — Save the report as an artifact

Add an upload-artifact step to your existing PR workflow:

.github/workflows/tests.yml

# ... your regular test steps ...
- name: Upload Flakiness report artifact (fork PRs only)
  if: always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork
  uses: actions/upload-artifact@v4
  with:
    name: flakiness-report-${{ github.job }}-${{ strategy.job-index }}
    path: flakiness-report/
    retention-days: 1

Tip

The artifact name includes ${{ github.job }} and ${{ strategy.job-index }} so matrix builds can upload one artifact per job without name conflicts.

Step 2 — Create the upload workflow

Create a new workflow in the base repository. It runs with id-token: write, so OIDC covers the upload — the report must contain flakinessProject (set in your reporter config).

1. Copy the YAML below into a new file at .github/workflows/flakiness-upload-fork-prs.yml in your base repository.

2. Update the highlighted workflows: line to match the name(s) of your actual test workflow(s). The default is ["Tests"] — replace with whatever you use in your main test workflow’s name: field. Without this, the trigger will never fire.

.github/workflows/flakiness-upload-fork-prs.yml

name: Upload Flakiness.io report (fork PRs)
on:
  workflow_run:
    # Must match the name(s) of workflows that produce flakiness-report artifacts
    workflows: ["Tests"]
    types: [completed]

jobs:
  upload-flakiness-report:
    runs-on: ubuntu-latest
    if: >-
      (github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure')
      && github.event.workflow_run.event == 'pull_request'
      && github.event.workflow_run.head_repository.full_name != github.event.workflow_run.repository.full_name
    permissions:
      actions: read
      contents: read
      id-token: write
    steps:
      - name: Install Flakiness CLI
        run: curl -LsSf https://cli.flakiness.io/install.sh | sh

      - name: Download flakiness-report artifacts
        env:
          GH_TOKEN: ${{ github.token }}
          RUN_ID: ${{ github.event.workflow_run.id }}
        run: gh run download "$RUN_ID" --repo "$GITHUB_REPOSITORY" --pattern 'flakiness-report-*' --dir .

      - name: Upload to Flakiness.io
        run: find . -path '*/flakiness-report-*/report.json' -exec flakiness upload {} \;