DEV.co
Open-Source DevOps · peter-evans

create-pull-request

Create Pull Request is a GitHub Actions workflow automation tool that detects file changes in your repository and automatically commits them to a new branch, then opens a pull request. It simplifies CI/CD pipelines by removing the need for manual PR creation after automated code modifications.

Source: GitHub — github.com/peter-evans/create-pull-request
2.8k
GitHub stars
546
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypeter-evans/create-pull-request
Ownerpeter-evans
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars2.8k
Forks546
Open issues17
Latest releasev8.1.1 (2026-04-10)
Last updated2026-07-01
Sourcehttps://github.com/peter-evans/create-pull-request

What create-pull-request is

A TypeScript-based GitHub Action that monitors the Actions workspace for tracked/untracked file changes and commits, creates or updates branches with configurable naming strategies, and opens pull requests with customizable metadata (title, body, labels, reviewers, draft status). Supports token flexibility (GITHUB_TOKEN, PAT, GitHub App tokens) and fork-based workflows.

Quickstart

Get the create-pull-request source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/peter-evans/create-pull-request.gitcd create-pull-request# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Automated Code Generation & Formatting Workflows

Use in pipelines that generate code, apply formatters, or update dependencies. The action commits generated files and creates a PR for review without manual intervention, ideal for linters, dependency updaters, or code generators.

CI/CD Documentation & Config Updates

Automate README updates, changelog generation, or config file modifications triggered by events. Changes are immediately proposed as PRs, enabling team review before merge.

Fork-Based Contribution Automation

Push pull request branches to a fork and create PRs against the parent repo. Useful for bots or services that need to contribute to multiple repositories without direct push access.

Implementation considerations

  • Explicitly enable workflow permissions (contents: write, pull-requests: write) in repositories created after Feb 2023 to avoid read-only GITHUB_TOKEN errors.
  • Choose token strategy: GITHUB_TOKEN is simplest but won't trigger downstream workflows; PAT or GitHub App tokens required for workflow chaining at cost of credential management.
  • Use branch-suffix strategies (random, timestamp, short-commit-hash) to avoid collisions if creating multiple PRs in parallel; default 'create-pull-request/patch' branch reuses/updates existing PR.
  • Configure add-paths carefully using git pathspec syntax to avoid committing unintended files (e.g., build artifacts, node_modules).
  • Set maintainer-can-modify to true if contributors should be able to update PR branches; false restricts to original author.

When to avoid it — and what to weigh

  • Sensitive Secret/Credential Changes — Do not use for changes involving secrets or credentials. The action commits changes to a tracked branch; unintended exposure is possible if permissions misconfigured.
  • High-Volume Automated PRs Without Governance — Avoid heavy automation without team guardrails. Hundreds of auto-created PRs can overwhelm review processes and create maintenance debt.
  • Triggering Cascading Workflow Runs — GITHUB_TOKEN will not trigger downstream `on: push` or `on: pull_request` workflows by design. If your pipeline requires chained workflow execution, use PAT or GitHub App tokens (adds complexity).
  • Complex Multi-Step Conditional Commits — The action commits all detected changes by default. If you need granular control over which specific changes commit in which order, you'll need custom branching logic.

License & commercial use

MIT License – permissive, allows commercial use, modification, and distribution with attribution. No restrictions on use in proprietary or closed-source projects.

MIT permits commercial use without restriction. However, review your workflow's token strategy (especially PAT/GitHub App management) for compliance with your organization's credential policies.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

No inherent security flaws disclosed in available data, but review your token strategy carefully: GITHUB_TOKEN is scoped narrowly but won't trigger workflows; PAT/GitHub App tokens expand permissions and require secure storage. Ensure add-paths filter prevents commits of secrets or sensitive files. Commits are attributed to the workflow actor, creating an audit trail.

Alternatives to consider

GitHub Actions: git-auto-commit-action (stefanzweifel)

Simpler lightweight alternative for direct commits to a branch; does not create PRs, better for self-contained automation without review gates.

Manual git commands in workflow

Full control over commit logic and PR metadata; requires more boilerplate and error handling; suitable for highly custom scenarios.

Renovate or Dependabot

Specialized for dependency updates and security patches; offers native PR management, auto-merge policies, and advanced grouping; not suitable for general code generation.

Software development agency

Build on create-pull-request with DEV.co software developers

Integrate Create Pull Request into your CI/CD pipeline today. Our engineers can help design a secure token strategy and workflow automation architecture tailored to your team's needs.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

create-pull-request FAQ

Why don't pull requests trigger my downstream workflows?
GITHUB_TOKEN cannot trigger on: push or on: pull_request workflows by design (GitHub anti-recursion measure). Switch to a PAT or GitHub App token to enable downstream execution; see docs/concepts-guidelines.md for setup.
Can I use this action without write permissions?
No. The action requires contents:write and pull-requests:write scopes to create/update branches and PRs. Repositories created after Feb 2, 2023, default to read-only; explicitly grant permissions in your workflow.
How do I avoid duplicate PRs when my workflow runs multiple times?
Use the default branch name (create-pull-request/patch) which reuses existing PRs, or configure branch-suffix with timestamp/random strategies. See docs for alternative branching strategy details.
Is it safe to commit secrets with this action?
No. The action commits all detected changes unless you filter with add-paths. Use environment secrets and .gitignore to prevent credential leaks; never rely on this action's defaults for sensitive data.

Software development & web development with DEV.co

Need help beyond evaluating create-pull-request? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to automate your GitHub workflow?

Integrate Create Pull Request into your CI/CD pipeline today. Our engineers can help design a secure token strategy and workflow automation architecture tailored to your team's needs.