diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yml
index 57b7fb20b..7e65f22ab 100644
--- a/.github/workflows/updatecli.yml
+++ b/.github/workflows/updatecli.yml
@@ -11,11 +11,13 @@ permissions:
   contents: write
   issues: write
   pull-requests: write
+  id-token: write # for vault authentication
 
 jobs:
   updatecli:
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main-source'
+    # if you want to testupdatecli on another branch, you also need to modify updatecli/values.yaml
+    if: ${{github.ref == 'refs/heads/main-source' && github.repository == 'rancher/rke2-charts'}}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -28,6 +30,23 @@ jobs:
       - name: Install Updatecli
         uses: updatecli/updatecli-action@v2
 
+      - name: Read Secrets for the Github App
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/issues-manager/github/app-credentials appId | CREATE_ISSUE_APP_ID ;
+            secret/data/github/repo/${{ github.repository }}/issues-manager/github/app-credentials privateKey | CREATE_ISSUE_PRIVATE_KEY
+
+      - name: Get Github App token
+        id: get_token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        with:
+            app-id: ${{ env.CREATE_ISSUE_APP_ID }}
+            private-key: ${{ env.CREATE_ISSUE_PRIVATE_KEY }}
+            owner: rancher
+            repositories: |
+              rke2
+
       - name: Delete leftover UpdateCLI branches
         run: |
           gh pr list \
@@ -53,3 +72,6 @@ jobs:
         env:
           UPDATECLI_GITHUB_ACTOR: ${{ github.actor }}
           UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          UPDATECLI_GITHUB_WORKFLOW_URL: "https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
+          GH_TOKEN: ${{ steps.get_token.outputs.token }}
+
diff --git a/updatecli/scripts/create-issue.sh b/updatecli/scripts/create-issue.sh
new file mode 100644
index 000000000..3a3136179
--- /dev/null
+++ b/updatecli/scripts/create-issue.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+TARGET_REPOSITORY="rancher/rke2"
+BODY="Url of the failed run: ${UPDATECLI_GITHUB_WORKFLOW_URL}"
+
+report-error() {
+    exit_code=$?
+    trap - EXIT INT
+
+    if [[ $exit_code != 0 ]]; then
+        #check if issue already exists
+        issues=$(gh issue list -R ${TARGET_REPOSITORY} \
+                    --search "is:open ${ISSUE_TITLE}" \
+                    --app rke2-issues-updatecli --json number --jq ".[].number" | wc -l)
+
+        if [[ $issues = 0 ]]; then
+            echo "Creating issue for: $title"
+            gh issue create -R ${TARGET_REPOSITORY} \
+                --title "${ISSUE_TITLE}" \
+                --body "${BODY}"
+        else
+            echo "Issue already exists for: ${ISSUE_TITLE}"
+        fi
+    fi
+
+    exit $exit_code
+}
+
+export -f report-error 
diff --git a/updatecli/scripts/update-calico.sh b/updatecli/scripts/update-calico.sh
index 023b6d10c..440ea9d30 100755
--- a/updatecli/scripts/update-calico.sh
+++ b/updatecli/scripts/update-calico.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 set -eu
+
+source $(dirname $0)/create-issue.sh
+
+ISSUE_TITLE="Updatecli failed for calico ${CALICO_VERSION}" 
+trap report-error EXIT INT
+
 if [ -n "$CALICO_VERSION" ]; then
 	current_calico_version=$(yq '.version' packages/rke2-calico/templates/crd-template/Chart.yaml)
 	if [ "$current_calico_version" != "$CALICO_VERSION" ]; then
diff --git a/updatecli/scripts/update-canal.sh b/updatecli/scripts/update-canal.sh
index 9f77f382f..db299c893 100755
--- a/updatecli/scripts/update-canal.sh
+++ b/updatecli/scripts/update-canal.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 set -eu
+
+source $(dirname $0)/create-issue.sh
+
+ISSUE_TITLE="Updatecli failed for canal ${CALICO_VERSION} / ${FLANNEL_VERSION}" 
+trap report-error EXIT INT
+
 if [ -n "$FLANNEL_VERSION" ]; then
 	current_flannel_version=$(yq '.flannel.image.tag' packages/rke2-canal/charts/values.yaml)
 	if [ "$current_flannel_version" != "$FLANNEL_VERSION" ]; then
diff --git a/updatecli/scripts/update-cilium.sh b/updatecli/scripts/update-cilium.sh
index 18c70282e..006481f74 100755
--- a/updatecli/scripts/update-cilium.sh
+++ b/updatecli/scripts/update-cilium.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 set -eu
+
+source $(dirname $0)/create-issue.sh
+
+ISSUE_TITLE="Updatecli failed for cilium ${CILIUM_VERSION}" 
+trap report-error EXIT INT
+
 if [ -n "$CNI_PLUGINS_VERSION" ]; then
 	current_cni_plugins_version=$(sed -nr 's/\+    tag: \"(v'[0-9]+.[0-9]+.[0-9]+-build[0-9]+')\"/\1/p' packages/rke2-cilium/generated-changes/patch/values.yaml.patch)
 	if [ "$current_cni_plugins_version" != "$CNI_PLUGINS_VERSION" ]; then
diff --git a/updatecli/scripts/update-flannel.sh b/updatecli/scripts/update-flannel.sh
index c4891e03b..a0fce157e 100755
--- a/updatecli/scripts/update-flannel.sh
+++ b/updatecli/scripts/update-flannel.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 set -eu
+
+source $(dirname $0)/create-issue.sh
+
+ISSUE_TITLE="Updatecli failed for flannel ${FLANNEL_VERSION}"
+trap report-error EXIT INT
+
 new_package=false
 if [ -n "$CNI_PLUGINS_VERSION" ]; then
 	current_cni_plugins_version=$(sed -nr 's/^\+    tag: ('v[0-9]+.[0-9]+.[0-9]+')/\1/p' packages/rke2-flannel/generated-changes/patch/values.yaml.patch  | tail -1)
diff --git a/updatecli/scripts/update-multus.sh b/updatecli/scripts/update-multus.sh
index 5f07cba8a..eaed51ada 100755
--- a/updatecli/scripts/update-multus.sh
+++ b/updatecli/scripts/update-multus.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
-set -eu
+set -eux
+
+source $(dirname $0)/create-issue.sh
+
+ISSUE_TITLE="Updatecli failed for multus ${MULTUS_VERSION}"
+trap report-error EXIT INT
+
 new_package=false
 if [ -n "$CNI_PLUGINS_VERSION" ]; then
 	current_cni_plugins_version=$(yq '.cniplugins.image.tag' packages/rke2-multus/charts/values.yaml)
diff --git a/updatecli/updatecli.d/updatecalico.yaml b/updatecli/updatecli.d/updatecalico.yaml
index 63fc48c48..8969fc42c 100644
--- a/updatecli/updatecli.d/updatecalico.yaml
+++ b/updatecli/updatecli.d/updatecalico.yaml
@@ -29,6 +29,8 @@ targets:
         - name: CALICO_VERSION
           value: '{{ source "calico" }}'
         - name: PATH
+        - name: UPDATECLI_GITHUB_WORKFLOW_URL
+        - name: GH_TOKEN
 
 
 scms:
diff --git a/updatecli/updatecli.d/updatecanal.yaml b/updatecli/updatecli.d/updatecanal.yaml
index 8c41db74f..1a6f817ec 100644
--- a/updatecli/updatecli.d/updatecanal.yaml
+++ b/updatecli/updatecli.d/updatecanal.yaml
@@ -51,6 +51,8 @@ targets:
         - name: CALICO_VERSION
           value: '{{ source "calico" }}'
         - name: PATH
+        - name: UPDATECLI_GITHUB_WORKFLOW_URL
+        - name: GH_TOKEN
 
 scms:
   default:
diff --git a/updatecli/updatecli.d/updatecilium.yaml b/updatecli/updatecli.d/updatecilium.yaml
index 34be76cf4..1b6358895 100644
--- a/updatecli/updatecli.d/updatecilium.yaml
+++ b/updatecli/updatecli.d/updatecilium.yaml
@@ -48,6 +48,8 @@ targets:
         - name: CNI_PLUGINS_VERSION
           value: '{{ source "cni_plugins" }}'
         - name: PATH
+        - name: UPDATECLI_GITHUB_WORKFLOW_URL
+        - name: GH_TOKEN
 
 
 scms:
diff --git a/updatecli/updatecli.d/updateflannel.yaml b/updatecli/updatecli.d/updateflannel.yaml
index 51cab570a..d5a484cde 100644
--- a/updatecli/updatecli.d/updateflannel.yaml
+++ b/updatecli/updatecli.d/updateflannel.yaml
@@ -51,6 +51,8 @@ targets:
         - name: CNI_PLUGINS_VERSION
           value: '{{ source "cni_plugins" }}'
         - name: PATH
+        - name: UPDATECLI_GITHUB_WORKFLOW_URL
+        - name: GH_TOKEN
 
 
 scms:
diff --git a/updatecli/updatecli.d/updatemultus.yaml b/updatecli/updatecli.d/updatemultus.yaml
index 39b0cd313..7314a32c2 100644
--- a/updatecli/updatecli.d/updatemultus.yaml
+++ b/updatecli/updatecli.d/updatemultus.yaml
@@ -48,6 +48,8 @@ targets:
         - name: CNI_PLUGINS_VERSION
           value: '{{ source "cni_plugins" }}'
         - name: PATH
+        - name: UPDATECLI_GITHUB_WORKFLOW_URL
+        - name: GH_TOKEN
 
 
 scms: