Use GITHUB_TOKEN for Copilot CLI inference in agentic workflows#1469
Merged
jonathanpeppers merged 1 commit intoJun 16, 2026
Merged
Conversation
GitHub announced on 2026-06-11 that gh-aw can use the built-in
GITHUB_TOKEN for Copilot CLI inference instead of a stored PAT, with
AI credits billed to the org.
Adding `copilot-requests: write` to the workflow permissions block opts
in. After recompiling, the lock file now wires
`COPILOT_GITHUB_TOKEN: ${{ github.token }}` and no longer references
`secrets.COPILOT_GITHUB_TOKEN`.
Also bumped gh-aw CLI to v0.79.8 to pick up the new compile behavior.
See: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the repo’s agentic workflows to use the new GitHub Agentic Workflows authentication model so Copilot CLI inference can use the workflow GITHUB_TOKEN (org-billed) instead of requiring a stored PAT/secret.
Changes:
- Adds
copilot-requests: writepermission to the source agentic workflow (java-interop-reviewer.md). - Regenerates the compiled lock workflow to use
COPILOT_GITHUB_TOKEN: ${{ github.token }}and updates related guardrail/output naming. - Bumps gh-aw action/CLI references to v0.79.8 and updates the actions lock JSON accordingly.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/java-interop-reviewer.md | Adds copilot-requests: write permission to enable Copilot inference with GITHUB_TOKEN. |
| .github/workflows/java-interop-reviewer.lock.yml | Regenerated workflow: switches Copilot auth to ${{ github.token }}, updates gh-aw versions, and adjusts related runtime/env wiring. |
| .github/workflows/agentics-maintenance.yml | Updates generated maintenance workflow to use gh-aw actions/CLI v0.79.8. |
| .github/aw/actions-lock.json | Updates pinned gh-aw action entries to v0.79.8 + new SHA. |
simonrozsival
approved these changes
Jun 16, 2026
jonathanpeppers
deleted the
jonathanpeppers/gh-aw-copilot-requests-permission
branch
This was referenced Jun 16, 2026
jonathanpeppers
added a commit
that referenced
this pull request
Jun 16, 2026
PR #1469 added `copilot-requests: write` to the java-interop-reviewer workflow permissions block to opt into the new feature where gh-aw uses the built-in GITHUB_TOKEN for Copilot CLI inference, with AI credits billed to the org. That feature requires the "Allow use of Copilot CLI billed to the organization" Copilot policy to be enabled at the org level. The dotnet org has not enabled that policy yet, so the workflow now fails with HTTP 403 from api.githubcopilot.com/models. See failing run: https://github.com/dotnet/java-interop/actions/runs/27628125187/job/81695629467 Revert just the opt-in line in java-interop-reviewer.md and recompile the lock file. After this merges, the COPILOT_GITHUB_TOKEN secret needs to be re-added to the copilot-pr-reviewer environment so the PAT-based flow works again. Also revert max-ai-credits from 100M back to -1 (truly unlimited). PR #1472 capped it at 100M based on a wrong theory that -1 was causing the auth 403; that 403 reproduced under 100M too, so the cap wasn't the issue and the user prefers -1. The gh-aw CLI v0.79.8 bump and the agentics-maintenance.yml updates from PR #1469 are intentionally left in place. See: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
added a commit
that referenced
this pull request
Jun 16, 2026
) PR #1469 added `copilot-requests: write` to the java-interop-reviewer workflow permissions block to opt into the new feature where gh-aw uses the built-in GITHUB_TOKEN for Copilot CLI inference, with AI credits billed to the org. That feature requires the "Allow use of Copilot CLI billed to the organization" Copilot policy to be enabled at the org level. The dotnet org has not enabled that policy yet, so the workflow now fails with HTTP 403 from api.githubcopilot.com/models. See failing run: https://github.com/dotnet/java-interop/actions/runs/27628125187/job/81695629467 Revert just the opt-in line in java-interop-reviewer.md and recompile the lock file. After this merges, the COPILOT_GITHUB_TOKEN secret needs to be re-added to the copilot-pr-reviewer environment so the PAT-based flow works again. Also revert max-ai-credits from 100M back to -1 (truly unlimited). PR #1472 capped it at 100M based on a wrong theory that -1 was causing the auth 403; that 403 reproduced under 100M too, so the cap wasn't the issue and the user prefers -1. The gh-aw CLI v0.79.8 bump and the agentics-maintenance.yml updates from PR #1469 are intentionally left in place. See: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopt the new GitHub Agentic Workflows authentication model so the agentic workflow in this repo no longer needs a stored PAT for Copilot CLI inference.
What changed
copilot-requests: writeto thepermissions:block in.github/workflows/java-interop-reviewer.md(the only agentic workflow in this repo).gh aw compile. The regenerated*.lock.ymlnow wiresCOPILOT_GITHUB_TOKEN: ${{ github.token }}and no longer referencessecrets.COPILOT_GITHUB_TOKEN. AI credits are billed to the org..github/aw/actions-lock.json+.github/workflows/agentics-maintenance.yml) — the changelog requires running the latest CLI to pick up the new compile behavior.After merge
COPILOT_GITHUB_TOKENrepo (or org) secret can be deleted once nothing else references it. A repo-wide search shows no remainingsecrets.COPILOT_GITHUB_TOKENusage after this PR.Org prerequisite (one-time)
The org must have the "Allow use of Copilot CLI billed to the organization" Copilot policy enabled. Per the changelog, this is on by default if the existing "Copilot CLI" policy is enabled, so no action is typically needed.
Intentionally NOT changed
Other secrets/PATs in agentic workflows govern safe-outputs, MCP servers, and cross-repo writes — they are unrelated to Copilot inference and are left as-is (e.g.
GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN). This repo does not useANDROID_TEAM_PAT.Reference