[docs] Update documentation for on.github-token and on.github-app fields from 2026-03-04

docs/src/content/docs/reference/frontmatter-full.md

@@ -682,6 +682,34 @@ on:
   # (optional)
   status-comment: true
 
+  # Custom GitHub token to use for pre-activation reactions and activation status
+  # comments. When specified, overrides the default GITHUB_TOKEN for these operations.
+  # (optional)
+  github-token: "${{ secrets.MY_GITHUB_TOKEN }}"
+
+  # GitHub App configuration for minting a token used in pre-activation reactions
+  # and activation status comments. When configured, a GitHub App installation
+  # access token is minted and used instead of the default GITHUB_TOKEN.
+  # (optional)
+  github-app:
+    # GitHub App ID (e.g., '${{ vars.APP_ID }}'). Required to mint a GitHub App token.
+    app-id: "${{ vars.APP_ID }}"
+
+    # GitHub App private key (e.g., '${{ secrets.APP_PRIVATE_KEY }}'). Required to
+    # mint a GitHub App token.
+    private-key: "${{ secrets.APP_PRIVATE_KEY }}"
+
+    # Optional owner of the GitHub App installation (defaults to current repository
+    # owner if not specified)
+    # (optional)
+    owner: "example-value"
+
+    # Optional list of repositories to grant access to (defaults to current repository
+    # if not specified)
+    # (optional)
+    repositories: []
+      # Array of strings
+
 # GitHub token permissions for the workflow. Controls what the GITHUB_TOKEN can
 # access during execution. Use the principle of least privilege - only grant the
 # minimum permissions needed.

docs/src/content/docs/reference/frontmatter.md

@@ -35,6 +35,8 @@ The `on:` section uses standard GitHub Actions syntax to define workflow trigger
 - `forks:` - Configure fork filtering for pull_request triggers
 - `skip-roles:` - Skip workflow execution for specific repository roles
 - `skip-bots:` - Skip workflow execution for specific GitHub actors
+- `github-token:` - Custom token for activation job reactions and status comments
+- `github-app:` - GitHub App for minting a short-lived token used by the activation job
 
 See [Trigger Events](/gh-aw/reference/triggers/) for complete documentation.
 

docs/src/content/docs/reference/triggers.md

@@ -318,6 +318,37 @@ The reaction is added to the triggering item. For issues/PRs, a comment with the
 
 **Available reactions:** `+1` 👍, `-1` 👎, `laugh` 😄, `confused` 😕, `heart` ❤️, `hooray` 🎉, `rocket` 🚀, `eyes` 👀
 
+### Activation Token (`on.github-token:`, `on.github-app:`)
+
+Configure a custom GitHub token or GitHub App for the activation job. The activation job posts the initial reaction and status comment on the triggering item. By default it uses the workflow's `GITHUB_TOKEN`.
+
+Use `github-token:` to supply a PAT or custom token:
+
+```yaml wrap
+on:
+  issues:
+    types: [opened]
+  reaction: "eyes"
+  github-token: ${{ secrets.MY_TOKEN }}
+```
+
+Use `github-app:` to mint a short-lived installation token instead:
+
+```yaml wrap
+on:
+  issues:
+    types: [opened]
+  reaction: "rocket"
+  github-app:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.APP_KEY }}
+```
+
+The `github-app` object accepts the same fields as the GitHub App configuration used elsewhere in the framework (`app-id`, `private-key`, and optionally `owner` and `repositories`). The token is minted once for the activation job and covers both the reaction step and the status comment step.
+
+> [!NOTE]
+> `github-token` and `github-app` affect only the activation job. For the agent job, configure tokens via `tools.github.github-token`/`tools.github.github-app` or `safe-outputs.github-token`/`safe-outputs.github-app`. See [Authentication](/gh-aw/reference/auth/) for a full overview.
+
 ### Stop After Configuration (`stop-after:`)
 
 Automatically disable workflow triggering after a deadline to control costs.