Skip to content

Fix Integration Data Updater auth via copilot-requests permission#1342

Merged
IEvangelist merged 1 commit into
mainfrom
dapine/gh-aw-copilot-requests
Jul 9, 2026
Merged

Fix Integration Data Updater auth via copilot-requests permission#1342
IEvangelist merged 1 commit into
mainfrom
dapine/gh-aw-copilot-requests

Conversation

@IEvangelist

Copy link
Copy Markdown
Member

Problem

The Integration Data Updater agentic workflow has failed every scheduled run since ~2026-05-21 (35+ consecutive failures). Each run dies at the Execute GitHub Copilot CLI step with:

Authentication failed with provider at http://172.30.0.30:10002 (HTTP 401).
awf-reflect: models fetch returned 401 for http://api-proxy:10002/models
model=claude-sonnet-4.6

Root cause: the COPILOT_GITHUB_TOKEN fine-grained PAT (last set 2026-04-24) expired, so gh-aw's Copilot inference proxy rejects it outright — the /models endpoint itself returns 401. This is version-independent (it persisted across the v0.74.8 → v0.81.6 upgrade in #1325).

Fix

Adopt the recommended authentication model from the gh-aw auth docs: grant copilot-requests: write and let Copilot inference use the per-run ${{ github.token }} instead of a PAT.

Benefits:

  • No PAT lifecycle — the token is minted per run and auto-revoked, so this expiry failure can't recur.
  • Org billing — inference bills through the organization's Copilot subscription rather than an individual user's quota.
  • No secret to rotateCOPILOT_GITHUB_TOKEN is no longer referenced for inference.

Changes

  • update-integration-data.md: add copilot-requests: write to the permissions: block.
  • update-integration-data.lock.yml: recompiled with gh-aw v0.81.6 (matching main). The only changes are the auth wiring:
    • Removes the Validate COPILOT_GITHUB_TOKEN secret activation step and its output.
    • Adds copilot-requests: write to the agent and threat-detection jobs.
    • Switches COPILOT_GITHUB_TOKEN to ${{ github.token }} and sets S2STOKENS: true.
    • Drops COPILOT_GITHUB_TOKEN from the secret manifest and redaction list.

compiler_version stays v0.81.6 — no toolchain/version drift.

Verification

Once merged, the next scheduled (or manually dispatched) run should get past activation and the Execute GitHub Copilot CLI step without the 401.

The Integration Data Updater agentic workflow has failed every run since
~2026-05-21 with HTTP 401 at the Execute GitHub Copilot CLI step: the
COPILOT_GITHUB_TOKEN fine-grained PAT expired, and gh-aw's /models auth
was rejected outright.

Switch to the recommended authentication model per the gh-aw docs: grant
copilot-requests: write and let Copilot inference use the per-run
github.token instead of a PAT. This removes the expiring-PAT failure mode
entirely and bills through the org's Copilot subscription.

Recompiled with gh-aw v0.81.6 (matching main); the only lock changes are
the auth wiring: the COPILOT_GITHUB_TOKEN validation step is dropped, the
agent/detection jobs gain copilot-requests: write, and inference now uses
github.token.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 20:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Integration Data Updater agentic workflow to authenticate Copilot inference using the per-run github.token (via copilot-requests: write) instead of an expiring PAT, addressing repeated 401 failures in scheduled runs.

Changes:

  • Add copilot-requests: write permission to the source workflow definition.
  • Regenerate the lock workflow to remove COPILOT_GITHUB_TOKEN secret validation/usage and switch inference auth to ${{ github.token }} with S2STOKENS: true.
  • Drop COPILOT_GITHUB_TOKEN from the lock manifest/redaction wiring.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/update-integration-data.md Grants copilot-requests: write so the workflow can use github.token for Copilot inference.
.github/workflows/update-integration-data.lock.yml Updates the compiled workflow to use github.token for Copilot CLI auth and removes PAT-secret plumbing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/update-integration-data.lock.yml
@aspire-repo-bot

Copy link
Copy Markdown
Contributor

Frontend HTML artifact ready

The latest frontend build uploaded the frontend-dist artifact for PR #1342. Use the VS Code button below to open this PR with GitHub Artifacts Explorer and browse the built HTML locally.

VS Code: Open PR #1342 artifacts

This comment updates automatically when a new frontend build artifact is uploaded.

@radical

radical commented Jul 9, 2026

Copy link
Copy Markdown
Member

Can this be validated with a manual run of the workflow?

@radical radical left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[automated] Reviewed and verified. This is a clean, correct fix.

Verification performed:

  • Recompiled the source .md with gh-aw v0.81.6 (matching the stamped
    compiler_version) in an isolated worktree — the result is byte-identical
    to the committed .lock.yml, with no other files touched. The lock is a
    faithful, drift-free recompile, not a hand-edit.
  • No version drift: compiler_version is v0.81.6 before and after, matching main.
  • Auth wiring matches gh-aw's documented "Recommended" model
    (copilot-requests: write + ${{ github.token }}); COPILOT_GITHUB_TOKEN is
    ignored for inference when the permission is present.
  • No secret-leak regression: COPILOT_GITHUB_TOKEN's value is now github.token
    (== GITHUB_TOKEN), which remains in the redaction list.
  • No dangling references to the removed validate-secret step / output; both
    Copilot-using jobs (agent + detection) received copilot-requests: write.

An independent second-model review pass reached the same conclusions.

Non-blocking: since this is a scheduled workflow, consider manually
dispatching it right after merge to confirm the auth path, rather than
waiting for the next daily run.

@IEvangelist IEvangelist merged commit f2dc7f0 into main Jul 9, 2026
11 checks passed
@IEvangelist IEvangelist deleted the dapine/gh-aw-copilot-requests branch July 9, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants