Allow external pull requests to use secret variables from the forked repo

(I’ve merged this FR with a duplicate one with a better title)

As per above, IMO the fork author does trust the upstream code with their credentials – since they are the last person making changes to the codebase.

  • The sharing can also be made explicit so that the PR author knows of this fact
  • This also raises the question of what to do if someone else makes a contribution to the PR branch.
    • I’d say the secrets should only be shared if the last commit is by the PR’s author (if author and commiter are different, committer name should take precedence)
      • So if someone else wishes to add changes, they need to make a PR to their PR (this is possible by specifying the PR branch as the base branch when creating the nested PR) – which will only get to the original PR after the original author merges them, with their merge commit being the last one.
    • The secrets can also be provided – but from the upstream repo – if the additional commit is by an upstream developer – since this effectively makes the PR at this specific commit an internal one.