GitHub Actions Trigger Events

Every GitHub Actions workflow trigger event with activity types and filters.

Searchable reference for all GitHub Actions on: trigger events — push, pull_request, schedule, workflow_dispatch, workflow_call, release and more — with activity types, supported filters and usage notes. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between pull_request and pull_request_target?

pull_request runs in the context of the merge commit with a restricted token and no secrets for fork PRs. pull_request_target runs in the base repository with full secrets and a write token, so you must never check out and execute untrusted PR code under it.

Pick the right workflow trigger

GitHub Actions workflows start in response to events declared under the on: key. This reference lists every trigger event with the activity types you can narrow on, the filters it supports (branches, tags, paths) and the gotchas worth knowing. Search by event name or keyword.

How events and filters work together

When something happens in or around a repository — a push, a pull request, a scheduled tick, a manual dispatch — GitHub emits an event. A workflow runs if its on: block names that event and any declared filters and activity types match. Activity types (types:) narrow broad events to specific actions, for example only opened and synchronize pull requests. Filters (branches, tags, paths and their -ignore variants) restrict pushes and PRs to certain refs or changed files.

Several events have important behaviour or security characteristics: pull_request_target runs with secrets and a write token even for fork PRs, schedule runs in UTC with best-effort timing, and workflow_call turns a workflow into a reusable building block.

Common events at a glance

EventWhen it firesKey notes
pushA branch or tag receives a commitFilter on branches, tags, paths
pull_requestPR opened, updated, or other activityFork PRs run with a restricted token and no secrets
pull_request_targetPR activity, but runs in base repo contextReceives secrets — never checkout and run PR code
scheduleCron expression fires in UTCMinimum ~5-minute interval; timing is best-effort
workflow_dispatchManual trigger from UI, API, or CLIDeclare inputs: to accept parameters
workflow_callCalled from another workflowMakes a workflow reusable across repos
workflow_runAnother named workflow completesUse for deploy-after-CI chains
releaseGitHub Release created, published, etc.Filter by types: [published] for production deploys
repository_dispatchExternal HTTP POST with a custom event typeTrigger from external systems via the GitHub API
issue_commentComment created on an issue or PRUseful for ChatOps-style slash commands

Examples

Scope a CI run to relevant branches and changed files:

on:
  push:
    branches: [main]
    paths: ["src/**", "package.json"]

React to specific PR activity only — skip draft opens and re-title edits:

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

Manual trigger with a required input (for example to choose a deployment environment):

on:
  workflow_dispatch:
    inputs:
      environment:
        description: Target environment
        required: true
        type: choice
        options: [staging, production]

Schedule a nightly job:

on:
  schedule:
    - cron: "0 3 * * *"  # 03:00 UTC every day

Security notes

  • pull_request_target runs with write access and secrets even for pull requests from forks. Never use it with actions/checkout followed by arbitrary script execution — that is a code injection vector. Use it only for label management, commenter automation, or other steps that do not execute untrusted code.
  • workflow_call inputs and secrets must be explicitly declared and passed; they are not inherited automatically from the caller.
  • Chain a deploy after CI with workflow_run and the workflows: filter, and trigger automation from outside GitHub with repository_dispatch plus a custom event type.