In the test runner I have this:

const cypressAction = args['--open'] ? cypress.open : cypress.run
const firstCypress = cypressAction({
  configFile: process.argv[2],
  env: {
    CF_SECRET: process.argv[4]
  },
}).then((results) => {
  console.log('First Cypress has finished')
  return results
})

// delay starting the second Cypress instance
// to avoid XVFB race condition
const secondCypress = wait(5000).then(() => {
  console.log('starting the second Cypress')
  return cypressAction({
    configFile: process.argv[3],
    env: {
      CF_SECRET: process.argv[4]
    },
  })
})

And then in the GitHub .yaml file I have this, which I thought would be passing CF_SECRET to the test runner as the 4th parameter:

npm run ${{ matrix.test }} cypress-dev-user1TipChatNotice.config.js cypress-dev-user2TipChatNotice.config.js ${{ secrets.GHA_CF_SERVICE_ACCESS_TOKEN }}

Also, tried this: removed from test runner:

env: {
      CF_SECRET: process.argv[4]
    },

and in .yaml in Gitghub have this:

CYPRESS_CF_SECRET=${{ secrets.GHA_CF_SERVICE_ACCESS_TOKEN }} 
 npm run ${{ matrix.test }} cypress-dev-user1TipChatNotice.config.js cypress-dev-user2TipChatNotice.config.js

I also upgraded to 10.3.0 and now the certification error is gone but in both ways above I am getting a cross-origin error for https://google.com. Am I supposed to use` cy.origin` somewhere when I am trying to bypass the cloudflare authorization?