Authenticate Copilot inference via copilot-requests: write#9574
Merged
Conversation
Add the `copilot-requests: write` permission to all 30 copilot-engine
agentic workflows so Copilot inference uses the per-run GitHub Actions
token and bills through the org's centralized Copilot plan, instead of
the expiring COPILOT_GITHUB_TOKEN PAT.
- read-all workflows: `permissions: read-all` -> map form
(`all: read` + `copilot-requests: write`); the compiler re-expands
`all: read` to the full read-all scope set, so no read access is lost.
- map-style workflows: append `copilot-requests: write` to the existing
permissions block.
Recompiled all lock files with `gh aw compile --strict` (0 errors, 0
warnings). In the generated locks, inference now resolves to
`COPILOT_GITHUB_TOKEN: ${{ github.token }}` and the
"Validate COPILOT_GITHUB_TOKEN secret" step is removed. This recompile
also bundles the compiler bump v0.80.9 -> v0.81.6 across all locks.
Requires the microsoft org to have "Allow use of Copilot CLI billed to
the organization" enabled; otherwise inference falls back with an
entitlement error.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s agentic (gh-aw) workflows to authenticate Copilot inference using the GitHub Actions token by granting copilot-requests: write and regenerating compiled workflow lockfiles with a newer gh-aw compiler version. This aligns the workflows with the documented direction of removing reliance on an expiring COPILOT_GITHUB_TOKEN PAT.
Changes:
- Adds
copilot-requests: writeto thepermissions:block across the agentic workflow sources (including convertingread-alltoall: readmap form where needed). - Regenerates affected
.lock.ymlworkflows and related generated files using gh-awv0.81.6, updating pinned actions/containers and removing the “Validate COPILOT_GITHUB_TOKEN secret” step. - Updates the repo’s gh-aw actions lock mapping to point
setup/setup-clitov0.81.6.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/weekly-issue-activity.md | Adds copilot-requests: write to enable Actions-token Copilot inference for this agentic workflow. |
| .github/workflows/unskip-closed-tests.md | Adds copilot-requests: write to the workflow permissions map. |
| .github/workflows/test-improver.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/sub-issue-closer.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/review.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/review-on-open.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/review-after-autofix.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/repository-quality-improver.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/q.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/pr-fix.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/perf-improver.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/msbuild-quality-review.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/msbuild-quality-review.lock.yml | Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly. |
| .github/workflows/markdown-linter.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/malicious-code-scan.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/malicious-code-scan.lock.yml | Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly. |
| .github/workflows/link-checker.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/grade-tests.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/grade-tests-on-pr.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/glossary-maintainer.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/efficiency-improver.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/duplicate-code-detector.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/duplicate-code-detector.lock.yml | Regenerated with gh-aw v0.81.6; switches Copilot auth to ${{ github.token }} and updates pins/steps accordingly. |
| .github/workflows/dependabot-pr-bundler.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/dependabot-issue-bundler.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/daily-file-diet.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/code-simplifier.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/build-failure-analysis.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/build-failure-analysis-command.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/autofix.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/agentics-maintenance.yml | Regenerated maintenance workflow file as part of gh-aw compiler bump. |
| .github/workflows/agentic_commands.yml | Regenerated command routing payload with updated compiler version. |
| .github/workflows/adhoc-qa.md | Converts permissions: read-all into all: read + copilot-requests: write. |
| .github/workflows/address-review.agent.md | Adds copilot-requests: write to workflow permissions. |
| .github/workflows/add-tests.md | Adds copilot-requests: write to workflow permissions. |
| .github/aw/actions-lock.json | Updates gh-aw action pins from v0.80.9 to v0.81.6. |
Review details
- Files reviewed: 39/63 changed files
- Comments generated: 0
- Review effort level: Low
dependabot-issue-bundler and dependabot-pr-bundler declared `source: githubnext/agentics/workflows/<name>.md@main`, but those files do not exist upstream (githubnext/agentics has no dependabot/bundle workflows). As a result `gh aw update` always failed for both with "failed to fetch file content: exit status 1". These are testfx-local workflows, so drop the `source:` field entirely; gh-aw then treats them as local-only and skips them during update while compile continues to work. Recompiled both locks. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
0101
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two related agentic-workflow maintenance fixes.
1. Authenticate Copilot inference via
copilot-requests: writeAdds
copilot-requests: writeto thepermissions:block of all 30 copilot-engine workflows, recompiled withgh aw compile --strict(0 errors, 0 warnings). This switches Copilot inference auth from the expiringCOPILOT_GITHUB_TOKENPAT to the per-run GitHub Actions token, billed through the org's centralized Copilot plan — the approach already documented in.github/workflows/README.md.Two frontmatter shapes:
read-allworkflows (adhoc-qa, code-simplifier, dependabot-pr-bundler, efficiency-improver, link-checker, perf-improver, pr-fix, test-improver):permissions: read-all→ map formall: read+copilot-requests: write. The compiler re-expandsall: readto the full read-all scope set, so no read access is lost.copilot-requests: writeto the existingpermissions:map.In the generated locks, inference now resolves to
COPILOT_GITHUB_TOKEN: ${{ github.token }}and theValidate COPILOT_GITHUB_TOKEN secretstep is removed everywhere.2. Remove dangling
source:from the dependabot workflowsdependabot-issue-bundleranddependabot-pr-bundlerdeclaredsource: githubnext/agentics/workflows/<name>.md@main, but those files do not exist upstream — sogh aw updatefailed for both withfailed to fetch file content: exit status 1. They're testfx-local workflows, so thesource:field is dropped; gh-aw now treats them as local-only and skips them duringupdate.Note
The copilot-requests recompile also bundles the gh-aw compiler bump v0.80.9 → v0.81.6 across all locks (action/image pin refreshes, a new "Log runtime features" step, and
agentic_commands.yml/agentics-maintenance.ymlregeneration), which accounts for most of the diff size.Requires the
microsoftorg to have "Allow use of Copilot CLI billed to the organization" enabled (Org → Settings → Copilot → Policies → Copilot CLI). Oncecopilot-requests: writeis set,COPILOT_GITHUB_TOKENis ignored for inference — so if that policy is off, runs fail with an entitlement error. Recommend confirming via a singleworkflow_dispatchprobe (e.g.adhoc-qa) before relying on it broadly.