Skip to content

Releases: amgdy/copilot-finops-automation

Release list

v3

Choose a tag to compare

@amgdy amgdy released this 06 Jul 23:19

💰 Copilot FinOps Automation v3

Govern GitHub Copilot AI-credit spend as code. v3 is a ground-up rewrite: the Bash/gh/jq scripts are gone, replaced by a single self-contained Node.js GitHub Action you can drop into any enterprise config repo — no fork required.

# your enterprise repo's workflow
- uses: amgdy/copilot-finops-automation@v3
  with:
    operation: apply
    enterprise: ${{ vars.COPILOT_FINOPS_ENTERPRISE }}
    token: ${{ secrets.COPILOT_FINOPS_TOKEN }}
    dry-run: "true"

✨ Highlights

  • 🧩 Reusable hosted action — load amgdy/copilot-finops-automation@v3. Your repo owns only its reviewed config, secret, variable, and schedule; the engine lives in the action. No more forking the whole automation repo per enterprise.
  • 🎯 No member sync — a team budget assigns the team itself to a cost center and GitHub expands the cap across members; an organization budget is written directly. The engine never enumerates members, so the token no longer needs read:org or enterprise-team read.
  • ⚙️ Rebuilt on Node.js (node24) — self-contained, committed dist/, no gh/jq/yq/pipx on the runner.
  • 🛡️ Safe by defaultapply previews as a dry run (the preview is the audit), config is validated against a JSON Schema (draft 2020-12) before any API call, and it never deletes budgets.
  • 📝 Budgets-first config — one reviewed config/copilot-finops.yml (version: 3); every change ships through a pull request.

🆕 Added

  • Two operations: validate (schema + semantic lint, token-free) and apply (dry-run default; live writes with admin:enterprise).
  • Two workflows: finops-validate.yml (runs on PRs touching config/schema/action) and finops-apply.yml (manual dry-run + weekly live schedule).
  • Six budget scopes: all_users, user, cost_center, team, organization, enterprise.
  • metered_credits_only (cost_center/team/org) — collective metered cap vs. per-user pool+metered.
  • enforce — hard stop vs. alert-only, gated to metered/collective budgets.
  • allow_shared_cost_center — opt in to budget a cost center that also holds other resources (otherwise skipped and reported).
  • log-level input (off/error/warn/info/debug, default info) with sensitive-field redaction in debug traces.
  • max-retries input — rate-limit-aware retries honoring retry-after / x-ratelimit-reset, else exponential backoff.
  • Outputs: changed and summary-path; every run writes a full markdown job summary.
  • Local CLI bin/copilot-finops.js (validate / apply / migrate) with .env support.
  • v2 → v3 migration codemod: node bin/copilot-finops.js migrate <v2-file> <v3-out>.
  • Copilot skill to author config conversationally, plus generated field reference docs/config-schema.md.

🔁 Changed (breaking)

  • version: 2version: 3.

  • Config is now a single budgets: list. v2's ai_credit_spend_policies + team_cost_center_mappings are consolidated.

  • Vocabulary renamed:

    v2 v3
    ai_credit_spend_policies: budgets:
    credit_scope: metered_only metered_credits_only: true
    credit_scope: pool_then_metered (default) omit metered_credits_only
    stop_at_limit: false enforce: false
    alert_admins: [...] alerts: [...]
    team: [a, b] / teams: one scope: team budget per team
    enterprise_slug: (doc field) action enterprise input
  • Enterprise slug is no longer a config field — it's an action input (a repo/org Variable), keeping real slugs out of tracked config.

  • organization scope is now always a direct collective metered cap on the enterprise endpoint (no cost center). Per-member org budgets aren't supported — use all_users/user, or put the users in an enterprise team and budget with scope: team.

  • team cost centers are auto-resolved or created — you no longer map them explicitly.

🗑️ Removed

  • The entire Bash implementation and its runner dependencies (gh, jq, yq).
  • Ongoing member syncteam_cost_center_mappings, remove_extra_members, and cost-center-members.yml (membership is managed in GitHub).
  • v1/v2 schemas and the two-file (budget-policies.yml + cost-center-members.yml) config model.
  • Per-policy enterprise: override.

🔒 Security & permissions

  • apply needs a classic PAT with admin:enterprise; validate needs no token and makes no network calls.
  • No read:org / enterprise-team read required — the engine never calls membership APIs.
  • Debug logs redact token/secret/password/authorization fields.

🔼 Upgrading from v2

  1. Migrate your config:
    node bin/copilot-finops.js migrate config/copilot-finops.v2.yml config/copilot-finops.yml
    Review the printed warnings (org teams, per-member org caps, dropped mappings).
  2. Set the enterprise slug as a Variable (COPILOT_FINOPS_ENTERPRISE) instead of a config field.
  3. Point your workflows at amgdy/copilot-finops-automation@v3.
  4. Run finops-apply.yml with dry_run=true and review the job summary before going live.

📚 Docs

README.md · docs/workflows.md · docs/setup.md · docs/permissions.md · docs/config-schema.md · docs/troubleshooting.md

Full config reference: see config/copilot-finops.example.yml (covers every scope).

v2

v2

Choose a tag to compare

@amgdy amgdy released this 05 Jul 22:48

Highlights

  • Introduces a single merged config file for budgets and team-to-cost-center mappings.
  • Adds schema-validated config for safer authoring and CI enforcement.
  • Includes the Copilot FinOps skill for AI-assisted config authoring and validation.
  • Keeps v1 split files supported but frozen; migration is available via scripts/migrate-v1-to-v2.sh.

What changed

v2 makes Copilot FinOps automation simpler to author and safer to ship:

  • One merged config file: config/copilot-finops.yml replaces the old split files.
  • Stronger validation: the config is checked against versioned JSON Schemas before any budget changes are applied.
  • Better workflow experience: the unified workflow validates once and then applies budgets and member sync in parallel.

Getting started

  • Copy config/copilot-finops.example.yml to config/copilot-finops.yml.
  • Set enterprise_slug and add only the budgets and mappings you need.
  • Validate with scripts/validate-config.sh config/copilot-finops.yml all.

Notes

This repository is intended for private or internal use with placeholder values only. Keep real enterprise slugs, team names, cost center names, user logins, budget amounts, reports, logs, and tokens out of public branches.