Use GITHUB_TOKEN for Copilot CLI inference in agentic workflows#1469
Open
jonathanpeppers wants to merge 1 commit into
Open
Use GITHUB_TOKEN for Copilot CLI inference in agentic workflows#1469jonathanpeppers wants to merge 1 commit into
jonathanpeppers wants to merge 1 commit into
Conversation
GitHub announced on 2026-06-11 that gh-aw can use the built-in
GITHUB_TOKEN for Copilot CLI inference instead of a stored PAT, with
AI credits billed to the org.
Adding `copilot-requests: write` to the workflow permissions block opts
in. After recompiling, the lock file now wires
`COPILOT_GITHUB_TOKEN: ${{ github.token }}` and no longer references
`secrets.COPILOT_GITHUB_TOKEN`.
Also bumped gh-aw CLI to v0.79.8 to pick up the new compile behavior.
See: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the repo’s agentic workflows to use the new GitHub Agentic Workflows authentication model so Copilot CLI inference can use the workflow GITHUB_TOKEN (org-billed) instead of requiring a stored PAT/secret.
Changes:
- Adds
copilot-requests: writepermission to the source agentic workflow (java-interop-reviewer.md). - Regenerates the compiled lock workflow to use
COPILOT_GITHUB_TOKEN: ${{ github.token }}and updates related guardrail/output naming. - Bumps gh-aw action/CLI references to v0.79.8 and updates the actions lock JSON accordingly.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/java-interop-reviewer.md | Adds copilot-requests: write permission to enable Copilot inference with GITHUB_TOKEN. |
| .github/workflows/java-interop-reviewer.lock.yml | Regenerated workflow: switches Copilot auth to ${{ github.token }}, updates gh-aw versions, and adjusts related runtime/env wiring. |
| .github/workflows/agentics-maintenance.yml | Updates generated maintenance workflow to use gh-aw actions/CLI v0.79.8. |
| .github/aw/actions-lock.json | Updates pinned gh-aw action entries to v0.79.8 + new SHA. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopt the new GitHub Agentic Workflows authentication model so the agentic workflow in this repo no longer needs a stored PAT for Copilot CLI inference.
What changed
copilot-requests: writeto thepermissions:block in.github/workflows/java-interop-reviewer.md(the only agentic workflow in this repo).gh aw compile. The regenerated*.lock.ymlnow wiresCOPILOT_GITHUB_TOKEN: ${{ github.token }}and no longer referencessecrets.COPILOT_GITHUB_TOKEN. AI credits are billed to the org..github/aw/actions-lock.json+.github/workflows/agentics-maintenance.yml) — the changelog requires running the latest CLI to pick up the new compile behavior.After merge
COPILOT_GITHUB_TOKENrepo (or org) secret can be deleted once nothing else references it. A repo-wide search shows no remainingsecrets.COPILOT_GITHUB_TOKENusage after this PR.Org prerequisite (one-time)
The org must have the "Allow use of Copilot CLI billed to the organization" Copilot policy enabled. Per the changelog, this is on by default if the existing "Copilot CLI" policy is enabled, so no action is typically needed.
Intentionally NOT changed
Other secrets/PATs in agentic workflows govern safe-outputs, MCP servers, and cross-repo writes — they are unrelated to Copilot inference and are left as-is (e.g.
GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN). This repo does not useANDROID_TEAM_PAT.Reference