Add features.copilot-requests feature flag for GitHub Actions token auth#18028
Add features.copilot-requests feature flag for GitHub Actions token auth#18028
features.copilot-requests feature flag for GitHub Actions token auth#18028Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
When features.copilot-requests: true is set:
- Skip the secret validation step (no COPILOT_GITHUB_TOKEN required)
- Add copilot-requests: write to workflow permissions
- Use ${{ github.token }} as the COPILOT_GITHUB_TOKEN value
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot enable feature on smoke-copilot |
- Add features.copilot-requests: true to smoke-copilot.md - Pass data.Features to threatDetectionData in threat_detection.go so the feature flag applies to the detection job as well - Recompile smoke-copilot.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in 14473f0. Added Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot merge main and recompile |
There was a problem hiding this comment.
Pull request overview
This PR adds a copilot-requests feature flag that allows workflows to authenticate the Copilot CLI using the built-in GitHub Actions token (${{ github.token }}) instead of requiring a stored COPILOT_GITHUB_TOKEN secret. When enabled, the feature automatically injects copilot-requests: write permission, skips secret validation, and switches the token source.
Changes:
- Adds
copilot-requestsfeature flag infrastructure and permission scope - Modifies Copilot engine installation and execution to conditionally use GitHub Actions token
- Propagates feature flags to threat detection job for consistency
- Enables the feature in the smoke-copilot workflow as a test
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/constants/constants.go | Defines the CopilotRequestsFeatureFlag constant |
| pkg/workflow/permissions.go | Adds PermissionCopilotRequests scope and converter support |
| pkg/workflow/tools.go | Injects copilot-requests: write permission when feature is enabled |
| pkg/workflow/copilot_engine_installation.go | Skips secret validation step when feature is enabled |
| pkg/workflow/copilot_engine_execution.go | Switches token source to ${{ github.token }} when feature is enabled |
| pkg/workflow/threat_detection.go | Propagates feature flags to detection job data |
| .github/workflows/smoke-copilot.md | Enables copilot-requests: true in the smoke test |
| .github/workflows/smoke-copilot.lock.yml | Generated lock file with applied feature flag changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…-one Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in 2fb0818. Merged main and resolved the conflict in Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
PRs: Add agent-focused links to the docs footer; 🔧 Fix GH_AW_CI_TRIGGER_TOKEN emit scope and update docs
|
|
💥 WHOOSH! The Claude smoke test agent blazes through like a COMET! 🌟 KAPOW! All systems NOMINAL! Claude was here on run §22335110628! ZAP! BOOM! WHAM! 🤖✨ The AI agents are watching your every commit, hero!
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
|
@copilot investigate why the call to copilot in the detection job failed with an authentication issue. Check the permissions and what token was configured on copilot. https://github.com/github/gh-aw/actions/runs/22335110644/job/64626143529 |
Investigation findings: Permissions — Correct. The detection job has Token configured — Root cause — The Copilot CLI v0.0.414, when run directly on the host, fails immediately with:
The Why the agent job succeeds — The agent job runs copilot via Fix needed — The detection job runs copilot directly on the host (no AWF), so it needs either:
|
|
@copilot the detection job must add env var to agentic run S2STOKENS: true |
…uests feature is enabled Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Smoke Test Results for PR #18028 by
|
| Test | Status |
|---|---|
| GitHub MCP | ✅ |
| Safe Inputs GH CLI | ✅ |
| Serena MCP | ❌ |
| Playwright | ✅ |
| Web Fetch | ✅ |
| File Writing | ✅ |
| Bash Tool | ✅ |
| Build gh-aw | ✅ |
| PR Review | ✅ |
Overall:
📰 BREAKING: Report filed by Smoke Copilot
There was a problem hiding this comment.
Smoke test review of PR #18028. Changes look good: adds copilot-requests: write permission and removes the now-unnecessary secret validation step, simplifying the workflow.
📰 BREAKING: Report filed by Smoke Copilot
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Added the `features.copilot-requests` feature flag so GitHub Actions token authentication and threat detection jobs honor the new Copilot requests flow. |
There was a problem hiding this comment.
Good changeset entry! The description clearly explains what the copilot-requests feature flag does.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Commit pushed:
|
|
Smoke test results:
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
copilot-requestsfeature flag tosmoke-copilot.mdthreat_detection.goto propagate feature flags to detection jobsmoke-copilot.lock.ymlcopilot_engine_installation.go)tools.go: early return forpermissions: {}no longer bypassescopilot-requests: writeinjection when feature is enabledthreat_detection.go: injectcopilot-requests: writeinto detection job permissions when feature is enabledcopilot_engine_execution.go: addS2STOKENS: trueto execution env whencopilot-requestsfeature is enabled, allowing the Copilot CLI to accept GitHub App installation tokens (ghs_*) such as${{ github.token }}💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
Changeset
features.copilot-requestsfeature flag so GitHub Actions token authentication and threat detection jobs honor the Copilot requests flow.Warning
The following domain was blocked by the firewall during workflow execution:
github.com✨ PR Review Safe Output Test - Run 22334678781
Add
features.copilot-requestsfeature flag for GitHub Actions token authcopilot-requestsfeature flag tosmoke-copilot.mdthreat_detection.goto propagate feature flags to detection jobsmoke-copilot.lock.ymlcopilot_engine_installation.go)tools.go: early return forpermissions: {}no longer bypassescopilot-requests: writeinjection when feature is enabledthreat_detection.go: injectcopilot-requests: writeinto detection job permissions when feature is enabledcopilot_engine_execution.go: addS2STOKENS: trueto execution env whencopilot-requestsfeature is enabled, allowing the Copilot CLI to accept GitHub App installation tokens (ghs_*) such as$\{\{ github.token }}💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips]((gh.io/redacted) in the docs.
Changeset
features.copilot-requestsfeature flag so GitHub Actions token authentication and threat detection jobs honor the Copilot requests flow.Warning
The following domain was blocked by the firewall during workflow execution:
github.com✨ PR Review Safe Output Test - Run 22334678781
Changeset
features.copilot-requestsfeature flag so GitHub Actions token authentication, threat detection permissions, and the Copilot CLI execution environment honor the Copilot requests flow (injectingcopilot-requests: writepermissions and enablingS2STOKENS=true).Warning
The following domain was blocked by the firewall during workflow execution:
github.com✨ PR Review Safe Output Test - Run 22337202812