Skip to content

Comments

🔔 Add CI trigger token support for PR and branch pushes#17803

Merged
dsyme merged 4 commits intomainfrom
tt
Feb 23, 2026
Merged

🔔 Add CI trigger token support for PR and branch pushes#17803
dsyme merged 4 commits intomainfrom
tt

Conversation

@dsyme
Copy link
Contributor

@dsyme dsyme commented Feb 23, 2026

Summary

  • Introduces GH_AW_CI_TRIGGER_TOKEN secret and github-ci-trigger-token safe output option to push an empty commit after PR creation or branch push, triggering CI events that GITHUB_TOKEN cannot trigger
  • Adds pushCITriggerCommit logic in create_pull_request.cjs and push_to_pull_request_branch.cjs, with support for explicit token, GitHub App token (app), or implicit secret fallback
  • Updates schema, compiler, Go config structs, and documentation (auth, safe-outputs, FAQ) to reflect the new token configuration and precedence rules

Copilot AI review requested due to automatic review settings February 23, 2026 00:57
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for a dedicated CI-trigger token (GH_AW_CI_TRIGGER_TOKEN / github-ci-trigger-token) so PR creation and branch pushes can trigger downstream GitHub Actions workflows that would otherwise be suppressed when using GITHUB_TOKEN.

Changes:

  • Extends safe-output configs (Go structs + JSON schema) with github-ci-trigger-token and wires env injection for CI-trigger pushes.
  • Updates JS safe output handlers (create_pull_request, push_to_pull_request_branch) to attempt a CI-trigger empty commit after successful operations.
  • Updates documentation (auth, safe-outputs reference, FAQ) and propagates the new secret into various locked workflows.

Reviewed changes

Copilot reviewed 44 out of 44 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
pkg/workflow/push_to_pull_request_branch.go Adds GithubCITriggerToken to push-to-PR-branch config and parses the new field.
pkg/workflow/create_pull_request.go Adds GithubCITriggerToken to create-PR config and emits GH_AW_CI_TRIGGER_TOKEN env for the job.
pkg/workflow/compiler_safe_outputs_job.go Adds job-level GH_AW_CI_TRIGGER_TOKEN env selection for consolidated safe outputs.
pkg/parser/schemas/main_workflow_schema.json Adds github-ci-trigger-token to the workflow schema for create-PR and push-to-PR-branch.
docs/src/content/docs/reference/safe-outputs.md Documents CI triggering behavior and configuration for safe outputs.
docs/src/content/docs/reference/faq.md Adds recommended guidance for CI triggering using the new token mechanism.
docs/src/content/docs/reference/auth.mdx Documents new GH_AW_CI_TRIGGER_TOKEN secret and precedence/options.
actions/setup/js/push_to_pull_request_branch.cjs Calls pushCITriggerCommit after pushing changes (when changes exist).
actions/setup/js/create_pull_request.cjs Calls pushCITriggerCommit after PR creation.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/weekly-editors-health-check.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/unbloat-docs.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/ubuntu-image-analyzer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/tidy.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/test-create-pr-error-handling.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/technical-doc-writer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/smoke-project.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/smoke-multi-pr.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/smoke-claude.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/slide-deck-maintainer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/refiner.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/q.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/poem-bot.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/mergefest.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/layout-spec-maintainer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/jsweep.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/instructions-janitor.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/hourly-ci-cleaner.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/go-logger.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/glossary-maintainer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/github-mcp-tools-report.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/functional-pragmatist.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/dictation-prompt.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/developer-docs-consolidator.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/daily-workflow-updater.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/daily-rendering-scripts-verifier.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/daily-doc-updater.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/craft.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/code-simplifier.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/code-scanning-fixer.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/cloclo.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/ci-coach.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.
.github/workflows/changeset.lock.yml Exposes GH_AW_CI_TRIGGER_TOKEN from repo secrets to the workflow job env.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Feb 23, 2026
Closed
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 23, 2026

Hey @dsyme 👋 — thanks for working on the CI trigger token feature! This is a valuable enhancement that addresses a real pain point with GITHUB_TOKEN limitations in Actions.

However, this PR violates the contribution process outlined in CONTRIBUTING.md:

🚫 Traditional Pull Requests Are Not Enabled

From CONTRIBUTING.md:

Traditional pull requests are not enabled - contributors craft agentic plans instead
You don't create PRs - you create issues with plans that agents implement

The correct workflow is:

  1. ✅ You create an issue with a detailed agentic plan (you did this: Add a github-ci-trogger-token: option to trigger CI on create-pull-request and push-to-pull-request-branch #17800)
  2. ✅ A maintainer assigns the issue to GitHub Copilot Agent (not to you)
  3. The agent creates the PR (not you manually)
  4. The agent implements the plan and handles all technical details

Additional Issues:

  • Missing tests — the new ci_trigger_commit.cjs module, schema changes, and Go integration lack test coverage. The project uses make agent-finish to validate changes including tests.
  • Process bypass — by creating the PR yourself, you've bypassed the agentic workflow that this project requires and demonstrates.

What to do:

The issue #17800 contains a good foundation, but it needs a more detailed implementation plan for the agent to execute. I recommend:

  1. Close this PR
  2. Enhance issue Add a github-ci-trogger-token: option to trigger CI on create-pull-request and push-to-pull-request-branch #17800 with a complete step-by-step agentic plan (see the example in CONTRIBUTING.md)
  3. Wait for a maintainer to assign the issue to GitHub Copilot Agent
  4. Let the agent create and implement the PR

Thanks for understanding — this process helps maintain consistency and demonstrates the agentic workflow approach that gh-aw is built on! 🤖

Generated by Contribution Check

@github-actions github-actions bot mentioned this pull request Feb 23, 2026
Closed
@dsyme dsyme merged commit b7d219a into main Feb 23, 2026
46 checks passed
@dsyme dsyme deleted the tt branch February 23, 2026 01:44
@github-actions github-actions bot mentioned this pull request Feb 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dsyme