When a GitHub Actions workflow uses GITHUB_TOKEN to create a pull request (via gh pr create or the API), no pull_request workflows trigger on the resulting PR. CI checks don't run, and the PR shows "no checks reported."
This is a deliberate GitHub restriction to prevent infinite recursive workflow loops. It applies to all events generated by GITHUB_TOKEN, not just PR creation — pushes, closes, reopens, label changes, and comments are all suppressed. The only exceptions are workflow_dispatch and repository_dispatch.
self-update.yml— creates a PR to sync.github/scripts/from the latest release. The PR is created but CI does not run on it.- Any downstream repo using
template-sync.yml— same pattern, same problem.
git commit from within a workflow produces unsigned commits. Repos with branch protection requiring verified signatures will reject these. The resume repo works around this by using the GitHub Git API (/git/blobs, /trees, /commits) to create commits server-side, which GitHub signs automatically. The self-update.yml workflow in this repo does not yet have this fix.
| Approach | Triggers CI? | Signed commits? | Requires secrets? |
|---|---|---|---|
| GITHUB_TOKEN (current) | No | No | No |
| Close/reopen with GITHUB_TOKEN | No | N/A | No |
| Push empty commit with GITHUB_TOKEN | No | No | No |
GitHub App (actions/create-github-app-token) |
Yes | Yes | App ID + private key |
| Fine-grained PAT | Yes | Yes | PAT secret |
workflow_dispatch to trigger CI separately |
Indirect (not shown as PR check) | N/A | No |
| Manual "re-run checks" click | Yes | N/A | No |
Create an org-level GitHub App (NWarila Automation) with these permissions:
Contents: Read & writePull requests: Read & write
Install it on all repos. Store APP_ID and APP_PRIVATE_KEY as org-level secrets. Update workflows to generate tokens at runtime:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
# Use the token for git operations and PR creation
- name: Create PR
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh pr create ...App tokens are not subject to the GITHUB_TOKEN suppression rule. PRs created with them will trigger CI normally, and commits created via the API with them will be signed.
PATs are tied to a personal account. If the account owner leaves an org or the PAT is revoked, all automation breaks. GitHub Apps are scoped to the installation, have fine-grained permissions, and produce auditable activity attributed to the App rather than a person.
Shelved — will implement when the GitHub App is created at the org level. Until then, CI must be triggered manually on workflow-created PRs (click "re-run checks" or push a commit to the branch).