Skip to content

GH_AW_CI_TRIGGER_TOKEN should be used to push at most one extra commit #18137

New issue
New issue
Closed
Closed
GH_AW_CI_TRIGGER_TOKEN should be used to push at most one extra commit#18137
Assignees
dsyme
Labels
bugSomething isn't workingsecurityworkflows
@dsyme

Description

@dsyme
dsyme
opened on Feb 24, 2026

We recently added the ability to set GH_AW_CI_TRIGGER magic secret to allow CI to be triggered.

This had the side effect that scripts can now modify workflow directories on the PR branches

https://github.com/fsprojects/FSharp.Formatting/actions/runs/22350097619/job/64676104851

It's a useful enable (and was alrady possible via GH_AW_GITHUB_TOKEN, which we will remove) but we would need to be intentional about it, so should be restricted for now.

This line must be executed with the CI_TRIGGER token permissions: https://github.com/fsprojects/FSharp.Formatting/actions/runs/22350097619/job/64676104851#step:8:80

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingsecurityworkflows

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions