Automated code generation powered by GitHub Copilot CLI on GitHub Enterprise Server
This repository implements an automated coding workflow using GitHub Copilot CLI integrated with GitHub Enterprise Server (GHES). Simply create an issue, add a label, and watch as Copilot generates the code, creates a PR, and links everything together automatically.
- 🏷️ Label-driven workflow - Trigger code generation by adding the
copilotlabel - 🤖 AI-powered coding - GitHub Copilot CLI generates code based on issue descriptions
- 🌿 Automatic branching - Creates feature branches (
copilot/{issue-number}) - 📬 Auto PR creation - Opens pull requests with generated code
- 🔗 Native linking - Automatically links PRs to issues
- 📊 Progress tracking - Updates issue labels to track workflow state
- 📦 Artifact logging - Captures and stores execution logs
- 🔄 MCP integration - Uses Context7 for documentation and best practices
- 🏷️ Label-triggered PR reviews - Add
copilotlabel to trigger review - 🔒 Security analysis - Detects security vulnerabilities
- ⚡ Performance checks - Identifies performance issues
- 🧹 Code quality - Flags code quality concerns
- 📝 Detailed feedback - Posts actionable comments with examples
- 📊 Artifact logs - Complete analysis available for reference
If using self-hosted runners, you MUST manually install GitHub CLI on the runner VM before running workflows:
# SSH into your runner VM and run:
GH_VERSION="2.62.0"
cd /tmp
curl -L -o gh.tar.gz "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz"
tar -xzf gh.tar.gz
sudo mv gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/
sudo chmod +x /usr/local/bin/gh
gh --versionWhy? Enterprise networks often block internet access during workflow execution, preventing automatic installation.
See GHES Setup Guide - Self-Hosted Runners for detailed instructions.
-
Configure Organization or Repository Secrets
Go to Settings → Secrets and variables → Actions:
Secret Required Description GH_TOKEN✅ Yes Classic PAT from your GHES instance ( ⚠️ NOT github.com)COPILOT_TOKEN✅ Yes Token for GitHub Copilot API access CONTEXT7_API_KEY❌ Optional Context7 API key for documentation ⚠️ CRITICAL: Use Classic PAT for GH_TOKENThe
GH_TOKENmust be a Classic PAT created on your GHES instance:- Go to
https://<your-ghes-instance>/settings/tokens - Click "Generate new token" → "Generate new token (classic)"
- Select scopes:
repoandworkflow
Note: Fine-grained PATs have issues with GraphQL operations on GHES. Always use Classic PATs.
- Go to
Create a standard issue with:
## 📋 Task Description
Create a Python FastAPI application with a simple health check endpoint.
## 🎯 Acceptance Criteria
- [ ] FastAPI app with /health endpoint
- [ ] Returns JSON with status and timestamp
- [ ] Includes proper documentation
- [ ] Add requirements.txt
## 📚 Technical Details
- Use FastAPI latest version
- Python 3.11+
- Follow REST API best practicesAdd the copilot label to the issue.
The workflow will automatically:
- 🏷️ Update issue label →
in-progress - 🌿 Create branch →
copilot/{issue-number} - 🤖 Generate code using Copilot CLI
- 💾 Commit changes with co-author attribution
- 🚀 Push branch to repository
- 📬 Create Pull Request
- 💬 Comment on issue with PR link
- 🏷️ Update label →
ready-for-review
- Review the Pull Request
- Add
copilotlabel to PR for AI review (optional) ✨ - Test the implementation
- Approve and merge when ready
This section explains how to deploy the Copilot workflows to repositories in your organization.
┌─────────────────────────────────────────────────────────────────────────┐
│ Your GHES Organization │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────────────┐ │
│ │ GHES_CodingAgent │ │ Target Repository │ │
│ │ (Central/Master) │ │ (e.g., my-project) │ │
│ │ │ │ │ │
│ │ • Master workflows │ │ • Caller workflows only (2) │ │
│ │ • MCP configuration │◄─────│ │ │
│ │ • Documentation │ │ (fetches config at runtime) │ │
│ │ • Deploy scripts │ uses │ │ │
│ └─────────────────────────┘ └─────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
First, clone or fork this repository into your GHES organization:
Option A: Clone via GHES UI
- Create a new repository named
GHES_CodingAgentin your org - Clone this repo locally and push to your GHES instance:
git clone https://github.com/original/GHES_CodingAgent.git cd GHES_CodingAgent git remote set-url origin https://<your-ghes>/your-org/GHES_CodingAgent.git git push -u origin main
Option B: For Air-Gapped Environments
- Download this repository as a ZIP
- Create a new repository in your GHES org
- Upload/push all files to the new repository
Option C: Fork (if available)
- Fork directly within GHES if the source repo is accessible
After cloning to your org, configure the GHES_CodingAgent repository:
-
Enable Workflow Access (Required for reusable workflows)
- Go to Settings → Actions → General
- Under "Access", select "Accessible from repositories in the organization"
-
Add Organization Secrets
GH_TOKEN: Classic PAT withrepoandworkflowscopesCOPILOT_TOKEN: Token for Copilot API accessCONTEXT7_API_KEY: (Optional) Context7 API key
Use the deployment scripts to install Copilot workflows into other repositories in your org:
./scripts/deploy-to-repo.ps1 `
-GhesHost "ghes.company.com" `
-Owner "my-org" `
-Repo "my-project" `
-GhToken "ghp_xxxxxxxxxxxx"./scripts/deploy-to-repo.sh \
ghes.company.com \
my-org \
my-project \
ghp_xxxxxxxxxxxxThe scripts deploy lightweight caller workflows to target repositories:
| File | Size | Description |
|---|---|---|
.github/workflows/copilot-coder.yml |
~30 lines | Calls master coder workflow |
.github/workflows/copilot-reviewer.yml |
~35 lines | Calls master reviewer workflow |
After merging the deployment PR, add secrets to the target repository:
| Secret | Required | Description |
|---|---|---|
GH_TOKEN |
✅ Yes | Classic PAT with repo and workflow scopes |
COPILOT_TOKEN |
✅ Yes | Token for Copilot API access |
CONTEXT7_API_KEY |
❌ Optional | Context7 API key for documentation |
- Create an issue in your target repository
- Add the
copilotlabel - Watch Copilot generate code and create a PR!
| Benefit | Description |
|---|---|
| Centralized Updates | Update master workflows once, all repos get improvements |
| Minimal Footprint | Target repos only have ~4 small files |
| No Script Duplication | Scripts live only in central repo |
| Easy Rollout | Deploy to new repos in seconds |
| Version Control | Pin to specific tags/commits if needed |
The Copilot PR Reviewer analyzes pull requests when triggered:
- 🏷️ Triggers when
copilotlabel is added - Add label to request review - 🔍 Analyzes all changed files - Security, performance, code quality
- 💬 Posts review comments - With actionable recommendations
- 📊 Generates analysis report - Available as artifact
Developer adds 'copilot' label to PR
↓
Reviewer Workflow Triggers
↓
1️⃣ Download Changed Files
2️⃣ Run Copilot Analysis
3️⃣ Post Review Comments
↓
📝 Feedback Ready for Developer
Copilot identifies and comments on issues like:
- 🔒 Security: SQL injection, exposed secrets, unsafe deserialization
- ⚡ Performance: Inefficient loops, unnecessary allocations, N+1 queries
- 🧹 Code Quality: Naming, documentation, complexity, error handling
- 📝 Best Practices: Type safety, error handling, edge cases
To request a review: Add the copilot label to the PR. The reviewer workflow will analyze your code and post feedback.
For detailed information, see Copilot PR Reviewer Documentation.
on:
issues:
types: [labeled]The coder workflow triggers when:
- The
copilotlabel is added to an issue
on:
pull_request:
types: [labeled]The reviewer workflow triggers when:
- The
copilotlabel is added to a pull request
GitHub Issue Created
↓
Add 'copilot' Label
↓
Workflow Triggers
↓
Update Labels (in-progress)
↓
Setup Environment
(Python, Node.js, Copilot CLI)
↓
Configure MCP Servers
↓
Create Feature Branch
↓
Run Copilot CLI
(Generate Code)
↓
Commit Changes
↓
Push Branch
↓
Create Pull Request
↓
Comment on Issue
↓
Update Labels (completed, ready-for-review)
↓
✅ Done!
.github/
├── workflows/
│ ├── copilot-coder-master.yml # Master workflow (reusable) - full logic
│ ├── copilot-coder.yml # Caller workflow (example/reference)
│ ├── copilot-reviewer-master.yml # Master workflow (reusable) - full logic
│ └── copilot-reviewer.yml # Caller workflow (example/reference)
scripts/ # Scripts for deployment only (NOT deployed to targets)
├── deploy-to-repo.ps1 # Deploy to target repo (PowerShell)
├── deploy-to-repo.sh # Deploy to target repo (Bash)
└── README.md # Script documentation
docs/
├── GHES-SETUP.md # Detailed setup guide
├── DEPLOYMENT.md # Deployment guide
├── COPILOT-REVIEWER.md # PR Reviewer documentation
├── TROUBLESHOOTING.md # Common issues and solutions
└── ... # Other documentation
mcp-config.json # MCP servers configuration (fetched at runtime)
.github/
└── workflows/
├── copilot-coder.yml # Caller workflow (~30 lines)
└── copilot-reviewer.yml # Caller workflow (~35 lines)
Note: Target repositories receive ONLY the caller workflows. All logic is in the master workflows, and MCP configuration is fetched at runtime from the central repository.
| Type | File | Purpose |
|---|---|---|
| Master | *-master.yml |
Contains full implementation logic, called by other repos |
| Caller | *.yml |
Lightweight wrapper that invokes the master workflow |
Target repositories only receive the caller workflows, which are ~30 lines each.
- GitHub Actions - Workflow orchestration
- GitHub Copilot CLI - AI-powered code generation
- GitHub Issues - Task management
- Bash Scripts - Automation
- Node.js 22.x - Runtime for Copilot CLI
- Python 3.x - Tooling and MCP server runtime
- uv - Python package manager for installing MCP servers
- MCP Servers - Context providers:
- Context7 (npx) - Documentation and examples
- Fetch (uvx) - Web content retrieval
- Time (uvx) - Time-based operations
Edit .github/workflows/copilot-coder.yml to customize:
env:
MODEL: claude-haiku-4.5 # LLM model to use
COPILOT_VERSION: 0.0.352 # Copilot CLI versionFor the workflow to run successfully, GHES runners must have outbound internet access to:
| Service | Host | Port | Protocol | Purpose |
|---|---|---|---|---|
| GHES API | <your-ghes-host> |
443 | HTTPS | GitHub CLI and API calls |
| Copilot CLI | registry.npmjs.org |
443 | HTTPS | Download @github/copilot package |
| MCP Servers | pypi.org |
443 | HTTPS | Install MCP servers via uv |
| Documentation | api.context7.com |
443 | HTTPS | Context7 MCP service |
If your GHES runners are behind a firewall, ensure these outbound rules are configured:
# Allow outbound HTTPS to required services
Allow: registry.npmjs.org:443
Allow: pypi.org:443
Allow: api.context7.com:443
Allow: <your-ghes-host>:443If GHES runners access the internet through a corporate proxy, configure:
# In workflow or runner configuration
HTTP_PROXY: http://proxy.company.com:8080
HTTPS_PROXY: http://proxy.company.com:8080
NO_PROXY: <your-ghes-host>For detailed network configuration and troubleshooting, see GHES Compatibility Guide.
Edit mcp-config.json to add or remove MCP servers:
{
"mcpServers": {
"context7": {
"type": "local",
"command": "npx",
"tools": ["*"],
"args": ["-y", "@upstash/context7-mcp"]
},
"fetch": {
"type": "local",
"command": "uvx",
"tools": ["*"],
"args": ["mcp-server-fetch"]
},
"time": {
"type": "local",
"command": "uvx",
"tools": ["*"],
"args": ["mcp-server-time"]
}
}
}Note: MCP servers using uvx are installed on-demand via the uv Python package manager from PyPI.
Edit .github/copilot-instructions.md to customize Copilot's behavior:
- Add project-specific guidelines
- Define code style preferences
- Specify frameworks or libraries to use
- Add security or compliance requirements
Each workflow run publishes:
- 📝 Workflow logs - Available in Actions tab
- 📦 Copilot logs - Downloaded as artifacts (retention: 30 days)
Access artifacts:
- Go to Actions tab
- Select workflow run
- Scroll to Artifacts section
- Download
copilot-logs
permissions:
contents: write # Create branches and commits
issues: write # Update issue labels and comments
pull-requests: write # Create pull requestsDetailed guides are available in the docs/ directory:
- GHES Setup Guide - Complete setup instructions
- Copilot PR Reviewer Guide - Automated PR review
- Migration Guide - Migrate from Azure DevOps
- Reviewer Migration Guide - ADO Reviewer adaptation details
- Troubleshooting - Common issues and solutions
- ✅ Verify label is exactly
copilot(case-sensitive) - ✅ Check workflow file syntax
- ✅ Ensure workflow is enabled in Actions tab
- ✅ Verify
GH_TOKENis set in organization or repository secrets - ✅ Check token scopes (
repo,copilot_requests) - ✅ Ensure token is from GHES, not GitHub.com
- ✅ Check issue description is clear and detailed
- ✅ Verify
MODELsetting in workflow - ✅ Review Copilot logs in artifacts
For more troubleshooting help, see TROUBLESHOOTING.md.
- GitHub Copilot team - For the Copilot CLI
- Original ADO implementation - By the amazing Gisela Torres - 0GiS0
Made with ❤️ and 🤖 by GitHub Copilot