Set up GitHub Agentic Workflows#126057
Merged
jeffhandley merged 6 commits intodotnet:mainfrom Mar 25, 2026
Merged
Conversation
jeffhandley
requested review from
ViktorHofer,
ericstj,
jeffschwMSFT and
stephentoub
Contributor
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
stephentoub
reviewed
Mar 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds initial infrastructure and example workflow for running GitHub Agentic Workflows (gh-aw) with GitHub Copilot, including a composite action to randomly select a Copilot PAT from a secret pool to reduce rate-limit pressure.
Changes:
- Added a composite action to select a Copilot PAT from up to 10 provided secrets (with optional seeding).
- Added a sample agentic workflow (
copilot-echo) plus its generated lock file to validate the setup end-to-end. - Added repo scaffolding for gh-aw (agent descriptor, action lock metadata, and git attributes for generated lock files).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/copilot-echo.md | New agentic workflow source that demonstrates PAT-pool selection and uses the selected token for Copilot auth. |
| .github/workflows/copilot-echo.lock.yml | Generated compiled workflow produced by gh aw compile for execution in GitHub Actions. |
| .github/actions/select-copilot-pat/action.yml | Composite action that selects an available PAT number from SECRET_0..SECRET_9. |
| .github/actions/select-copilot-pat/README.md | Onboarding and usage documentation for the PAT pool action. |
| .github/aw/actions-lock.json | Locks key third-party action references used by gh-aw workflows. |
| .github/agents/agentic-workflows.agent.md | Adds an agent descriptor/dispatcher document for gh-aw-related tasks. |
| .gitattributes | Marks .lock.yml files as generated and resolves merges using ours. |
stephentoub
reviewed
Mar 24, 2026
stephentoub
approved these changes
Mar 24, 2026
Instruct the agentic workflows agent to automatically include the select-copilot-pat integration (steps, job outputs, engine config, and explanatory comment block) when creating or updating workflows. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/ba-g No runs apply |
ericstj
reviewed
Mar 25, 2026
ericstj
approved these changes
Mar 25, 2026
Member
ericstj
left a comment
ericstj
left a comment
There was a problem hiding this comment.
We've worked together on this solution and I approve of the technique - I had one small suggestion for reducing boilerplate but I'm not sure it works.
Member
Author
|
/ba-g No runs apply |
This was referenced Mar 25, 2026
Open
marcpopMSFT
added a commit
to marcpopMSFT/sdk
that referenced
this pull request
Mar 26, 2026
Replace the GitHub Models inference API (models.inference.ai.azure.com) with the Copilot API (api.githubcopilot.com), authenticated via a randomly selected PAT from a pool of repository secrets. This follows the pattern established in dotnet/runtime#126057: - Add select-copilot-pat composite action that picks a random PAT from COPILOT_PAT_0..9 secrets to mitigate rate-limiting - Add select-pat job to the workflow pipeline - Remove models:read permission (no longer needed) - Sanitize error responses to prevent token leakage in logs - Fail explicitly with setup instructions when no PATs are configured Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for securely running GitHub Agentic Workflows with Copilot by implementing a mechanism to randomly select a Copilot Personal Access Token (PAT) from a pool of secrets, mitigating rate-limiting issues. It also adds documentation and a test workflow for this setup, and adds the gh-aw infrastructure to the repo.
Copilot PAT Pool Selection:
.github/actions/select-copilot-pat/action.yml) that selects a random Copilot PAT from up to 10 provided secrets (COPILOT_PAT_0throughCOPILOT_PAT_9), with optional deterministic selection via a random seed. If no PATs are available, it gracefully falls back to the default token. If needed, workflows can have their own pools of secrets to draw from..github/actions/select-copilot-pat/README.md, including setup, PAT management, and workflow integration guidance..github/workflows/copilot-echo.md) to demonstrate and validate the approach. The workflow uses the selected PAT for Copilot authentication and includes clear documentation for its purpose and usage.