Written and diagnosed by gh aw debugging process
GH_AW_CI_TRIGGER_TOKEN empty commit push fails with non-fast-forward when PR is created via GitHub API (safe_output)
Summary
When a workflow uses create-pull-request safe output with GH_AW_CI_TRIGGER_TOKEN set as a repo secret, the CI trigger empty commit push fails because the branch was created server-side via the GitHub API, causing a SHA divergence between the local and remote branch.
The result is that the PR is created successfully but no CI checks ever run on it.
Version
- gh-aw: v0.64.1
- Engine: Copilot
Reproduction
- Create a workflow with a
create-pull-request safe output
- Set
GH_AW_CI_TRIGGER_TOKEN as a repository secret
- Trigger the workflow and let the agent produce a PR
Expected behavior
The empty commit is pushed to the PR branch, triggering CI checks on the newly created PR.
Actual behavior
The safe_output_handler_manager.cjs handler:
- Creates the PR branch and commit via the GitHub API (server-side)
- Detects
GH_AW_CI_TRIGGER_TOKEN and creates a local empty commit
- Attempts to push the empty commit to the remote branch
- Push is rejected because the local branch doesn't have the API-created commit — the local ref points to the base branch tip, not the remote branch tip that now includes the API-created commit
The failure is logged as a Warning (not an error), so the job succeeds but CI never triggers on the PR.
Logs
From the "Process Safe Outputs" step :
Extra empty commit token detected - pushing empty commit to trigger CI events
/usr/bin/git checkout -b rswag-worker/sc-8301/api-v1-admin-subscriptions
Switched to a new branch 'rswag-worker/sc-8301/api-v1-admin-subscriptions'
/usr/bin/git remote add ci-trigger https://***@github.com/sixfiftylabs/sixfifty-api.git
/usr/bin/git commit --allow-empty -m ci: trigger checks
[rswag-worker/sc-8301/api-v1-admin-subscriptions c32ce94] ci: trigger checks
/usr/bin/git push ci-trigger rswag-worker/sc-8301/api-v1-admin-subscriptions
To https://github.com/sixfiftylabs/sixfifty-api.git
! [rejected] rswag-worker/sc-8301/api-v1-admin-subscriptions -> rswag-worker/sc-8301/api-v1-admin-subscriptions (fetch first)
error: failed to push some refs to 'https://github.com/sixfiftylabs/sixfifty-api.git'
hint: Updates were rejected because the remote contains work that you do not
hint: have locally. This is usually caused by another repository pushing to
hint: the same ref. If you want to integrate the remote changes, use
hint: 'git pull' before pushing.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.
Warning: Failed to push extra empty commit: The process '/usr/bin/git' failed with exit code 1
Root cause
The safe_outputs job checks out main (via fetch-depth: 1), then creates the PR branch + commit through the GitHub API. When it subsequently tries to push the empty CI trigger commit locally, the local branch was created from the main checkout and doesn't include the API-created commit on the remote branch — so git correctly rejects it as a non-fast-forward push.
Evidence
- The single commit on the branch (
009fddd5) has committer GitHub <noreply@github.com> with verified: true — confirming it was created via the API, not pushed via git
- All 6 workflow jobs completed successfully; the push failure was swallowed as a warning
Suggested fix
Before pushing the empty commit, fetch the remote branch and reset the local branch to it:
git fetch ci-trigger rswag-worker/sc-8301/api-v1-admin-subscriptions
git reset --hard ci-trigger/rswag-worker/sc-8301/api-v1-admin-subscriptions
git commit --allow-empty -m "ci: trigger checks"
git push ci-trigger rswag-worker/sc-8301/api-v1-admin-subscriptions
Or alternatively, use --force for the empty commit push since the only commit on the branch at that point is the one the handler just created via the API.
GH_AW_CI_TRIGGER_TOKENempty commit push fails with non-fast-forward when PR is created via GitHub API (safe_output)Summary
When a workflow uses
create-pull-requestsafe output withGH_AW_CI_TRIGGER_TOKENset as a repo secret, the CI trigger empty commit push fails because the branch was created server-side via the GitHub API, causing a SHA divergence between the local and remote branch.The result is that the PR is created successfully but no CI checks ever run on it.
Version
Reproduction
create-pull-requestsafe outputGH_AW_CI_TRIGGER_TOKENas a repository secretExpected behavior
The empty commit is pushed to the PR branch, triggering CI checks on the newly created PR.
Actual behavior
The
safe_output_handler_manager.cjshandler:GH_AW_CI_TRIGGER_TOKENand creates a local empty commitThe failure is logged as a Warning (not an error), so the job succeeds but CI never triggers on the PR.
Logs
From the "Process Safe Outputs" step :
Root cause
The
safe_outputsjob checks outmain(viafetch-depth: 1), then creates the PR branch + commit through the GitHub API. When it subsequently tries to push the empty CI trigger commit locally, the local branch was created from themaincheckout and doesn't include the API-created commit on the remote branch — so git correctly rejects it as a non-fast-forward push.Evidence
009fddd5) has committerGitHub <noreply@github.com>withverified: true— confirming it was created via the API, not pushed via gitSuggested fix
Before pushing the empty commit, fetch the remote branch and reset the local branch to it:
git fetch ci-trigger rswag-worker/sc-8301/api-v1-admin-subscriptions git reset --hard ci-trigger/rswag-worker/sc-8301/api-v1-admin-subscriptions git commit --allow-empty -m "ci: trigger checks" git push ci-trigger rswag-worker/sc-8301/api-v1-admin-subscriptionsOr alternatively, use
--forcefor the empty commit push since the only commit on the branch at that point is the one the handler just created via the API.