Triggering CI

By default, pull requests created using the default GITHUB_TOKEN in GitHub Actions do not trigger CI workflow runs. This is a GitHub Actions feature to prevent event cascades.

This applies to both create-pull-request and push-to-pull-request-branch safe outputs.

Creating a CI trigger token for agentic workflows

Solution: Authorize triggering CI on PRs created by workflows

To trigger CI checks on PRs created by agentic workflows, configure a CI trigger token:

1. Create a fine-grained PAT with Contents: Read & Write scoped to the relevant repositories where pull requests will be created.

2. Add the PAT as a repository secret (e.g., GH_AW_CI_TRIGGER_TOKEN) using

   gh aw secrets set GH_AW_CI_TRIGGER_TOKEN --value "<your-pat-token>"

3. Reference it in your workflow:

   safe-outputs:
     create-pull-request:
       github-token-for-extra-empty-commit: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}

   or

   safe-outputs:
     push-to-pull-request-branch:
       github-token-for-extra-empty-commit: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}

When configured, the token will be used to push an extra empty commit to the PR branch after PR creation. This will trigger push and pull_request events normally.

You can also use app to authenticate via the GitHub App configured for the workflow.

safe-outputs:
  create-pull-request:
    github-token-for-extra-empty-commit: app

Alternative: Full Token Override

If you want all PR operations to use a different token (not just the CI trigger), use the github-token field instead:

safe-outputs:
  create-pull-request:
    github-token: ${{ secrets.CI_USER_PAT }}

This changes the author of the PR to the user or app associated with the token, and triggers CI directly. However, it grants more permissions than the empty commit approach.

See Also

• Authentication Reference — Token setup and permissions
• Safe Outputs Reference — Full safe outputs configuration