Skip to content
GitHub Agentic Workflows

Triggering CI

By default, pull requests created using the default GITHUB_TOKEN in GitHub Actions do not trigger CI workflow runs. This is a GitHub Actions feature to prevent event cascades.

This applies to both create-pull-request and push-to-pull-request-branch safe outputs.

Creating a CI trigger token for agentic workflows

Solution: Authorize triggering CI on PRs created by workflows

Section titled “Solution: Authorize triggering CI on PRs created by workflows”

To trigger CI checks on PRs created by agentic workflows, configure additional authentication for the PR creation safe outputs.

Using a Personal Access Token (PAT):

  1. Create a fine-grained PAT with Contents: Read & Write scoped to the relevant repositories where pull requests will be created.

  2. Add the PAT as a repository secret (e.g., MY_CI_TRIGGER_PAT) using

    Terminal window
    gh aw secrets set MY_CI_TRIGGER_PAT --value "<your-pat-token>"

  3. Reference it in your workflow:

    safe-outputs:
      create-pull-request:
        github-token-for-extra-empty-commit: ${{ secrets.MY_CI_TRIGGER_PAT }}

    or

    safe-outputs:
      push-to-pull-request-branch:
        github-token-for-extra-empty-commit: ${{ secrets.MY_CI_TRIGGER_PAT }}

When configured, the token will be used to push an extra empty commit to the PR branch after PR creation. This will trigger push and pull_request events normally.

Using a GitHub App:

You can also use app to authenticate via the GitHub App configured for the workflow.

safe-outputs:
  create-pull-request:
    github-token-for-extra-empty-commit: app

Using a magic secret:

Alternatively, you can set the magic secret GH_AW_CI_TRIGGER_TOKEN to a suitable PAT (see the above guide for creating one). This secret name is known to GitHub Agentic Workflows and does not need to be explicitly referenced in your workflow.

Alternative: Full Token Override

Section titled “Alternative: Full Token Override”

If you want all PR operations to use a different token (not just the CI trigger), use the github-token field instead:

safe-outputs:
  create-pull-request:
    github-token: ${{ secrets.CI_USER_PAT }}

This changes the author of the PR to the user or app associated with the token, and triggers CI directly. However, it grants more permissions than the empty commit approach.

See Also

Section titled “See Also”
Community Feedback

Made with by GitHub Next & Microsoft Research Terms Privacy Security