Thanks for the follow-up here and good question. At the moment, as you noted, there isn’t a way to allow these forked PR’s to use the credentials without passing down the secrets.
We do have an open feature request here that may help semi-accomplish what you are speaking about:
However, I think more granular control of a specific context or environment variables would be better (i.e. being able to share a single context to Forked PR’s vs. sharing all open contexts and project secrets) – and we have an open feature request for that here:
I would recommend voting on the above requests and adding your specific comments on how this would help as our Product team references comments when implementing features.
With all the above said, if your concerns are around getting rate-limited on the Forked PR’s, I added some information on OSS projects at the bottom of our FAQ here:
It provides some information around when/how those limits could be reached and a sample bash script that helps with ‘falling back’ to credentials for builds from the organization while not using the crednetials on the Forked PR’s.
Hope the above helps clarify the current state of everything and please let me know if you need anything else!