Currently, passing secrets to builds from forked pull requests is insecure as the forked PR may alter the CircleCI config files in order to reveal those secrets.

If we could specify a fixed branch (e.g. the main/master branch) from which the config files are loaded for forked PR builds, we could allow passing secrets to builds from forked pull requests without a malicious user being able to reveal our secrets.