diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md index 72c54de1a6..c88f5c35f0 100644 --- a/docs/src/content/docs/reference/frontmatter-full.md +++ b/docs/src/content/docs/reference/frontmatter-full.md @@ -682,6 +682,34 @@ on: # (optional) status-comment: true + # Custom GitHub token to use for pre-activation reactions and activation status + # comments. When specified, overrides the default GITHUB_TOKEN for these operations. + # (optional) + github-token: "${{ secrets.MY_GITHUB_TOKEN }}" + + # GitHub App configuration for minting a token used in pre-activation reactions + # and activation status comments. When configured, a GitHub App installation + # access token is minted and used instead of the default GITHUB_TOKEN. + # (optional) + github-app: + # GitHub App ID (e.g., '${{ vars.APP_ID }}'). Required to mint a GitHub App token. + app-id: "${{ vars.APP_ID }}" + + # GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}'). Required to + # mint a GitHub App token. + private-key: "${{ secrets.APP_PRIVATE_KEY }}" + + # Optional owner of the GitHub App installation (defaults to current repository + # owner if not specified) + # (optional) + owner: "example-value" + + # Optional list of repositories to grant access to (defaults to current repository + # if not specified) + # (optional) + repositories: [] + # Array of strings + # GitHub token permissions for the workflow. Controls what the GITHUB_TOKEN can # access during execution. Use the principle of least privilege - only grant the # minimum permissions needed. diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index 629536eeac..56e7b53e69 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -35,6 +35,8 @@ The `on:` section uses standard GitHub Actions syntax to define workflow trigger - `forks:` - Configure fork filtering for pull_request triggers - `skip-roles:` - Skip workflow execution for specific repository roles - `skip-bots:` - Skip workflow execution for specific GitHub actors +- `github-token:` - Custom token for activation job reactions and status comments +- `github-app:` - GitHub App for minting a short-lived token used by the activation job See [Trigger Events](/gh-aw/reference/triggers/) for complete documentation. diff --git a/docs/src/content/docs/reference/triggers.md b/docs/src/content/docs/reference/triggers.md index bb9b0b7924..b6450f9b20 100644 --- a/docs/src/content/docs/reference/triggers.md +++ b/docs/src/content/docs/reference/triggers.md @@ -318,6 +318,37 @@ The reaction is added to the triggering item. For issues/PRs, a comment with the **Available reactions:** `+1` 👍, `-1` 👎, `laugh` 😄, `confused` 😕, `heart` ❤️, `hooray` 🎉, `rocket` 🚀, `eyes` 👀 +### Activation Token (`on.github-token:`, `on.github-app:`) + +Configure a custom GitHub token or GitHub App for the activation job. The activation job posts the initial reaction and status comment on the triggering item. By default it uses the workflow's `GITHUB_TOKEN`. + +Use `github-token:` to supply a PAT or custom token: + +```yaml wrap +on: + issues: + types: [opened] + reaction: "eyes" + github-token: ${{ secrets.MY_TOKEN }} +``` + +Use `github-app:` to mint a short-lived installation token instead: + +```yaml wrap +on: + issues: + types: [opened] + reaction: "rocket" + github-app: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_KEY }} +``` + +The `github-app` object accepts the same fields as the GitHub App configuration used elsewhere in the framework (`app-id`, `private-key`, and optionally `owner` and `repositories`). The token is minted once for the activation job and covers both the reaction step and the status comment step. + +> [!NOTE] +> `github-token` and `github-app` affect only the activation job. For the agent job, configure tokens via `tools.github.github-token`/`tools.github.github-app` or `safe-outputs.github-token`/`safe-outputs.github-app`. See [Authentication](/gh-aw/reference/auth/) for a full overview. + ### Stop After Configuration (`stop-after:`) Automatically disable workflow triggering after a deadline to control costs.