Skip to content

Updating permissions for agentic workflows#39071

Merged
xirzec merged 1 commit into
mainfrom
copilot/update-agentic-workflows-permission
Jun 24, 2026
Merged

Updating permissions for agentic workflows#39071
xirzec merged 1 commit into
mainfrom
copilot/update-agentic-workflows-permission

Conversation

Copilot AI commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Updating permissions for agentic workflows

Adds the copilot-requests: write permission to the GitHub Agentic Workflow definitions and recompiles their generated lock files.

What changed

  • Added copilot-requests: write under permissions: in each agentic workflow .md source file.
  • Recompiled every corresponding .lock.yml via gh aw compile so the generated output matches the source.

As a result of recompiling, the workflows now rely on the copilot-requests: write permission instead of the COPILOT_GITHUB_TOKEN secret, so the lock files drop the COPILOT_GITHUB_TOKEN secret reference and its validation step.

Affected workflows

  • agent-observability
  • archie
  • dash
  • dexter
  • docs-consistency-check
  • fix-test-failures
  • issue-triage
  • mgmt-guidance
  • mgmt-review
  • scribe
  • sentinel
  • tester
  • upgrade-agentic-workflows

Checklist

  • Add copilot-requests: write permission to workflow .md sources
  • Recompile .lock.yml files from their .md counterparts
  • Add PR description

Co-authored-by: xirzec <639216+xirzec@users.noreply.github.com>
@xirzec

xirzec commented Jun 24, 2026

Copy link
Copy Markdown
Member

@copilot can you add a PR description?

Copilot AI commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

@copilot can you add a PR description?

Added a PR description summarizing the change: it adds the copilot-requests: write permission to the agentic workflow .md sources and recompiles their .lock.yml files (which also drops the COPILOT_GITHUB_TOKEN secret reference).

Copilot AI requested a review from xirzec June 24, 2026 22:48
@xirzec xirzec marked this pull request as ready for review June 24, 2026 22:50
Copilot AI review requested due to automatic review settings June 24, 2026 22:50
@xirzec xirzec merged commit 33a4c7d into main Jun 24, 2026
16 of 23 checks passed
@xirzec xirzec deleted the copilot/update-agentic-workflows-permission branch June 24, 2026 22:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR grants the copilot-requests: write permission to all 13 GitHub Agentic Workflow (gh-aw) definitions in .github/workflows and recompiles their generated .lock.yml lock files via gh aw compile. The effect of the recompilation is that the copilot-engine workflows now authenticate Copilot API calls using the workflow's github.token (service-to-service tokens, S2STOKENS: true) rather than a dedicated COPILOT_GITHUB_TOKEN PAT secret. As a result, the regenerated lock files drop the COPILOT_GITHUB_TOKEN secret from the manifest, remove the "Validate COPILOT_GITHUB_TOKEN secret" step and its secret_verification_result output, and stop redacting that secret.

I verified that:

  • Exactly 13 .md/.lock.yml agentic-workflow pairs exist in the repo, and all 13 are updated—the change is complete.
  • copilot-requests is a valid Actions permission scope used for Copilot API requests.
  • The continue-on-error: true removal on the "Checkout PR branch" step in mgmt-review.lock.yml is not a regression—the sibling review workflows (archie.lock.yml:478-481, dash.lock.yml:478) never had it, so regeneration simply normalizes mgmt-review to the canonical v0.77.5 compiler output (this drift was the only behavioral side-effect not called out in the description).

Changes:

  • Added copilot-requests: write under permissions: in each of the 13 agentic workflow .md sources.
  • Recompiled all 13 .lock.yml files, migrating Copilot auth from the COPILOT_GITHUB_TOKEN secret to github.token + S2STOKENS: true and removing the secret-validation/redaction machinery.
Show a summary per file
File Description
agent-observability.md / .lock.yml Adds copilot-requests: write; regenerated lock migrates Copilot token to github.token, adds S2STOKENS
archie.md / .lock.yml Adds permission; regenerated lock drops COPILOT_GITHUB_TOKEN secret + validate step
dash.md / .lock.yml Adds permission; regenerated lock token/secret migration
dexter.md / .lock.yml Adds permission; regenerated lock token/secret migration
docs-consistency-check.md / .lock.yml Adds permission; regenerated lock token/secret migration
fix-test-failures.md / .lock.yml Adds permission; regenerated lock token/secret migration
issue-triage.md / .lock.yml Adds permission; regenerated lock token/secret migration
mgmt-guidance.md / .lock.yml Adds permission; regenerated lock token/secret migration
mgmt-review.md / .lock.yml Adds permission; regenerated lock also normalizes stale continue-on-error on checkout-pr step + trailing newline
scribe.md / .lock.yml Adds permission; regenerated lock token/secret migration
sentinel.md / .lock.yml Adds permission; regenerated lock token/secret migration
tester.md / .lock.yml Adds permission; regenerated lock token/secret migration
upgrade-agentic-workflows.md / .lock.yml Adds permission; regenerated lock token/secret migration

Copilot's findings

  • Files reviewed: 26/26 changed files
  • Comments generated: 0

jeremymeng pushed a commit that referenced this pull request Jun 24, 2026
Reverts #39071

same error as last time `400 400 checking server-to-server token: bad
request: GitHub App Server-To-Server Tokens are not supported for this
endpoint`
xirzec added a commit that referenced this pull request Jun 25, 2026
…#39089)

This PR updates gh-aw to the latest version (0.81.3) and updates our
permissions to use the new `copilot-requests: write` permission per
https://github.github.com/gh-aw/reference/auth/#copilot-requests-write-permission

Previous attempts at this failed because the version was outdated.
During my efforts to upgrade this, I also noticed that gh-aw's MCP
server does not seem to work with copilot (fails to initialize) so I
have removed that entry from mcp.json.

As proof that this *actually* works this time (unlike in #39071 and
#38944) I was able to run a successful agent against the PR branch:
https://github.com/Azure/azure-sdk-for-js/actions/runs/28194833437/job/83518875360
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants