Fix Integration Data Updater auth via copilot-requests permission#1342
Conversation
The Integration Data Updater agentic workflow has failed every run since ~2026-05-21 with HTTP 401 at the Execute GitHub Copilot CLI step: the COPILOT_GITHUB_TOKEN fine-grained PAT expired, and gh-aw's /models auth was rejected outright. Switch to the recommended authentication model per the gh-aw docs: grant copilot-requests: write and let Copilot inference use the per-run github.token instead of a PAT. This removes the expiring-PAT failure mode entirely and bills through the org's Copilot subscription. Recompiled with gh-aw v0.81.6 (matching main); the only lock changes are the auth wiring: the COPILOT_GITHUB_TOKEN validation step is dropped, the agent/detection jobs gain copilot-requests: write, and inference now uses github.token. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Integration Data Updater agentic workflow to authenticate Copilot inference using the per-run github.token (via copilot-requests: write) instead of an expiring PAT, addressing repeated 401 failures in scheduled runs.
Changes:
- Add
copilot-requests: writepermission to the source workflow definition. - Regenerate the lock workflow to remove
COPILOT_GITHUB_TOKENsecret validation/usage and switch inference auth to${{ github.token }}withS2STOKENS: true. - Drop
COPILOT_GITHUB_TOKENfrom the lock manifest/redaction wiring.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/update-integration-data.md | Grants copilot-requests: write so the workflow can use github.token for Copilot inference. |
| .github/workflows/update-integration-data.lock.yml | Updates the compiled workflow to use github.token for Copilot CLI auth and removes PAT-secret plumbing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Frontend HTML artifact readyThe latest frontend build uploaded the This comment updates automatically when a new frontend build artifact is uploaded. |
|
Can this be validated with a manual run of the workflow? |
radical
left a comment
There was a problem hiding this comment.
[automated] Reviewed and verified. This is a clean, correct fix.
Verification performed:
- Recompiled the source
.mdwith gh-aw v0.81.6 (matching the stamped
compiler_version) in an isolated worktree — the result is byte-identical
to the committed.lock.yml, with no other files touched. The lock is a
faithful, drift-free recompile, not a hand-edit. - No version drift: compiler_version is v0.81.6 before and after, matching main.
- Auth wiring matches gh-aw's documented "Recommended" model
(copilot-requests: write + ${{ github.token }}); COPILOT_GITHUB_TOKEN is
ignored for inference when the permission is present. - No secret-leak regression: COPILOT_GITHUB_TOKEN's value is now github.token
(== GITHUB_TOKEN), which remains in the redaction list. - No dangling references to the removed validate-secret step / output; both
Copilot-using jobs (agent + detection) received copilot-requests: write.
An independent second-model review pass reached the same conclusions.
Non-blocking: since this is a scheduled workflow, consider manually
dispatching it right after merge to confirm the auth path, rather than
waiting for the next daily run.
Problem
The Integration Data Updater agentic workflow has failed every scheduled run since ~2026-05-21 (35+ consecutive failures). Each run dies at the Execute GitHub Copilot CLI step with:
Root cause: the
COPILOT_GITHUB_TOKENfine-grained PAT (last set 2026-04-24) expired, so gh-aw's Copilot inference proxy rejects it outright — the/modelsendpoint itself returns 401. This is version-independent (it persisted across the v0.74.8 → v0.81.6 upgrade in #1325).Fix
Adopt the recommended authentication model from the gh-aw auth docs: grant
copilot-requests: writeand let Copilot inference use the per-run${{ github.token }}instead of a PAT.Benefits:
COPILOT_GITHUB_TOKENis no longer referenced for inference.Changes
update-integration-data.md: addcopilot-requests: writeto thepermissions:block.update-integration-data.lock.yml: recompiled with gh-aw v0.81.6 (matchingmain). The only changes are the auth wiring:Validate COPILOT_GITHUB_TOKEN secretactivation step and its output.copilot-requests: writeto the agent and threat-detection jobs.COPILOT_GITHUB_TOKENto${{ github.token }}and setsS2STOKENS: true.COPILOT_GITHUB_TOKENfrom the secret manifest and redaction list.compiler_versionstaysv0.81.6— no toolchain/version drift.Verification
Once merged, the next scheduled (or manually dispatched) run should get past activation and the Execute GitHub Copilot CLI step without the 401.