Unable to inject Context variables into workflow initiated from fork

I’m not sure where to post this topic, as it could be a bug, or simply my own misunderstanding.

This CircleCI Blog post: Triggering trusted CI jobs on untrusted forks | CircleCI

Ends with this snippet:

Something new to explore is CircleCI’s recent announcement of restricted contexts which includes the possibility of injecting secrets into a portion of the workflow graph, triggered by a manual approval step. That could be the foundation for a more convenient and flexible approach to letting reviewers trigger trusted builds.

Is this currently possible, or is the author alluding to a potential future enhancement?

I have a workflow that has:

• Unrestricted jobs
• Manual approval job
• Job with restricted context

However, my job with a restricted context does not spin up with the context’s environment variables if initially triggered from a fork, even if the approver meet’s the restricted context’s requirements.

Any updates on this? I would like to use contexts for fork PRs but it doesn’t seem to be working at the moment.

Hi @Lalli and welcome to the CircleCI Discuss community!

Is the “Pass secrets to builds from forked pull requests” feature enabled in your project settings?

I encounter the same problem. “Pass secrets to builds from forked pull requests” is not set, as it will expose too many secrets (e.g. read-write deploy keys).

If I read the blog post “Using context with the Build pull requests from forked repositories” well, a manual approval step by an authorised user should expose the context to the workflow. However, this doesn’t seem to be the case.