This rule detects the manual triggering of GitHub workflows by a GitHub Actions bot, specifically when it utilizes a server-to-server token, GITHUB_TOKEN. Such actions can be a sign of a compromised token being used to initiate workflows through the GitHub REST API, potentially leading to unauthorized modifications or actions within a repository. This behavior is particularly notable as it has been linked to follow-up actions in supply chain attacks, such as those observed in the Nx/S1ngularity incident. The rule requires audit logs from GitHub to correctly identify relevant actions taken by the bot associated with workflows, allowing teams to investigate and respond to potential security incidents.