Skip to content

Authenticate Copilot inference via copilot-requests: write#9574

Merged
Evangelink merged 2 commits into
mainfrom
evangelink-copilot-requests-permission
Jul 3, 2026
Merged

Authenticate Copilot inference via copilot-requests: write#9574
Evangelink merged 2 commits into
mainfrom
evangelink-copilot-requests-permission

Conversation

@Evangelink

@Evangelink Evangelink commented Jul 3, 2026

Copy link
Copy Markdown
Member

What

Two related agentic-workflow maintenance fixes.

1. Authenticate Copilot inference via copilot-requests: write

Adds copilot-requests: write to the permissions: block of all 30 copilot-engine workflows, recompiled with gh aw compile --strict (0 errors, 0 warnings). This switches Copilot inference auth from the expiring COPILOT_GITHUB_TOKEN PAT to the per-run GitHub Actions token, billed through the org's centralized Copilot plan — the approach already documented in .github/workflows/README.md.

Two frontmatter shapes:

  • read-all workflows (adhoc-qa, code-simplifier, dependabot-pr-bundler, efficiency-improver, link-checker, perf-improver, pr-fix, test-improver): permissions: read-all → map form all: read + copilot-requests: write. The compiler re-expands all: read to the full read-all scope set, so no read access is lost.
  • map-style workflows (the other 22): append copilot-requests: write to the existing permissions: map.

In the generated locks, inference now resolves to COPILOT_GITHUB_TOKEN: ${{ github.token }} and the Validate COPILOT_GITHUB_TOKEN secret step is removed everywhere.

2. Remove dangling source: from the dependabot workflows

dependabot-issue-bundler and dependabot-pr-bundler declared source: githubnext/agentics/workflows/<name>.md@main, but those files do not exist upstream — so gh aw update failed for both with failed to fetch file content: exit status 1. They're testfx-local workflows, so the source: field is dropped; gh-aw now treats them as local-only and skips them during update.

Note

The copilot-requests recompile also bundles the gh-aw compiler bump v0.80.9 → v0.81.6 across all locks (action/image pin refreshes, a new "Log runtime features" step, and agentic_commands.yml / agentics-maintenance.yml regeneration), which accounts for most of the diff size.

⚠️ Prerequisite

Requires the microsoft org to have "Allow use of Copilot CLI billed to the organization" enabled (Org → Settings → Copilot → Policies → Copilot CLI). Once copilot-requests: write is set, COPILOT_GITHUB_TOKEN is ignored for inference — so if that policy is off, runs fail with an entitlement error. Recommend confirming via a single workflow_dispatch probe (e.g. adhoc-qa) before relying on it broadly.

Add the `copilot-requests: write` permission to all 30 copilot-engine
agentic workflows so Copilot inference uses the per-run GitHub Actions
token and bills through the org's centralized Copilot plan, instead of
the expiring COPILOT_GITHUB_TOKEN PAT.

- read-all workflows: `permissions: read-all` -> map form
  (`all: read` + `copilot-requests: write`); the compiler re-expands
  `all: read` to the full read-all scope set, so no read access is lost.
- map-style workflows: append `copilot-requests: write` to the existing
  permissions block.

Recompiled all lock files with `gh aw compile --strict` (0 errors, 0
warnings). In the generated locks, inference now resolves to
`COPILOT_GITHUB_TOKEN: ${{ github.token }}` and the
"Validate COPILOT_GITHUB_TOKEN secret" step is removed. This recompile
also bundles the compiler bump v0.80.9 -> v0.81.6 across all locks.

Requires the microsoft org to have "Allow use of Copilot CLI billed to
the organization" enabled; otherwise inference falls back with an
entitlement error.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 11:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s agentic (gh-aw) workflows to authenticate Copilot inference using the GitHub Actions token by granting copilot-requests: write and regenerating compiled workflow lockfiles with a newer gh-aw compiler version. This aligns the workflows with the documented direction of removing reliance on an expiring COPILOT_GITHUB_TOKEN PAT.

Changes:

  • Adds copilot-requests: write to the permissions: block across the agentic workflow sources (including converting read-all to all: read map form where needed).
  • Regenerates affected .lock.yml workflows and related generated files using gh-aw v0.81.6, updating pinned actions/containers and removing the “Validate COPILOT_GITHUB_TOKEN secret” step.
  • Updates the repo’s gh-aw actions lock mapping to point setup/setup-cli to v0.81.6.
Show a summary per file
File Description
.github/workflows/weekly-issue-activity.md Adds copilot-requests: write to enable Actions-token Copilot inference for this agentic workflow.
.github/workflows/unskip-closed-tests.md Adds copilot-requests: write to the workflow permissions map.
.github/workflows/test-improver.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/sub-issue-closer.md Adds copilot-requests: write to workflow permissions.
.github/workflows/review.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/review-on-open.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/review-after-autofix.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/repository-quality-improver.md Adds copilot-requests: write to workflow permissions.
.github/workflows/q.md Adds copilot-requests: write to workflow permissions.
.github/workflows/pr-fix.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/perf-improver.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/msbuild-quality-review.md Adds copilot-requests: write to workflow permissions.
.github/workflows/msbuild-quality-review.lock.yml Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly.
.github/workflows/markdown-linter.md Adds copilot-requests: write to workflow permissions.
.github/workflows/malicious-code-scan.md Adds copilot-requests: write to workflow permissions.
.github/workflows/malicious-code-scan.lock.yml Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly.
.github/workflows/link-checker.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/grade-tests.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/grade-tests-on-pr.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/glossary-maintainer.md Adds copilot-requests: write to workflow permissions.
.github/workflows/efficiency-improver.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/duplicate-code-detector.md Adds copilot-requests: write to workflow permissions.
.github/workflows/duplicate-code-detector.lock.yml Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly.
.github/workflows/dependabot-pr-bundler.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/dependabot-issue-bundler.md Adds copilot-requests: write to workflow permissions.
.github/workflows/daily-file-diet.md Adds copilot-requests: write to workflow permissions.
.github/workflows/code-simplifier.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/build-failure-analysis.md Adds copilot-requests: write to workflow permissions.
.github/workflows/build-failure-analysis-command.md Adds copilot-requests: write to workflow permissions.
.github/workflows/autofix.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/agentics-maintenance.yml Regenerated maintenance workflow file as part of gh-aw compiler bump.
.github/workflows/agentic_commands.yml Regenerated command routing payload with updated compiler version.
.github/workflows/adhoc-qa.md Converts permissions: read-all into all: read + copilot-requests: write.
.github/workflows/address-review.agent.md Adds copilot-requests: write to workflow permissions.
.github/workflows/add-tests.md Adds copilot-requests: write to workflow permissions.
.github/aw/actions-lock.json Updates gh-aw action pins from v0.80.9 to v0.81.6.

Review details

  • Files reviewed: 39/63 changed files
  • Comments generated: 0
  • Review effort level: Low

dependabot-issue-bundler and dependabot-pr-bundler declared
`source: githubnext/agentics/workflows/<name>.md@main`, but those files
do not exist upstream (githubnext/agentics has no dependabot/bundle
workflows). As a result `gh aw update` always failed for both with
"failed to fetch file content: exit status 1".

These are testfx-local workflows, so drop the `source:` field entirely;
gh-aw then treats them as local-only and skips them during update while
compile continues to work. Recompiled both locks.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@Evangelink Evangelink added the state/needs-review Awaiting review from the team. label Jul 3, 2026
@Evangelink Evangelink marked this pull request as ready for review July 3, 2026 11:41
Copilot AI review requested due to automatic review settings July 3, 2026 11:41
@Evangelink Evangelink enabled auto-merge (squash) July 3, 2026 11:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 39/63 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread .github/workflows/weekly-issue-activity.md
@Evangelink Evangelink merged commit 939f782 into main Jul 3, 2026
36 of 37 checks passed
@Evangelink Evangelink deleted the evangelink-copilot-requests-permission branch July 3, 2026 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state/needs-review Awaiting review from the team.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants