Updating permissions for agentic workflows#39071
Conversation
Co-authored-by: xirzec <639216+xirzec@users.noreply.github.com>
|
@copilot can you add a PR description? |
Added a PR description summarizing the change: it adds the |
There was a problem hiding this comment.
Pull request overview
This PR grants the copilot-requests: write permission to all 13 GitHub Agentic Workflow (gh-aw) definitions in .github/workflows and recompiles their generated .lock.yml lock files via gh aw compile. The effect of the recompilation is that the copilot-engine workflows now authenticate Copilot API calls using the workflow's github.token (service-to-service tokens, S2STOKENS: true) rather than a dedicated COPILOT_GITHUB_TOKEN PAT secret. As a result, the regenerated lock files drop the COPILOT_GITHUB_TOKEN secret from the manifest, remove the "Validate COPILOT_GITHUB_TOKEN secret" step and its secret_verification_result output, and stop redacting that secret.
I verified that:
- Exactly 13
.md/.lock.ymlagentic-workflow pairs exist in the repo, and all 13 are updated—the change is complete. copilot-requestsis a valid Actions permission scope used for Copilot API requests.- The
continue-on-error: trueremoval on the "Checkout PR branch" step inmgmt-review.lock.ymlis not a regression—the sibling review workflows (archie.lock.yml:478-481,dash.lock.yml:478) never had it, so regeneration simply normalizesmgmt-reviewto the canonical v0.77.5 compiler output (this drift was the only behavioral side-effect not called out in the description).
Changes:
- Added
copilot-requests: writeunderpermissions:in each of the 13 agentic workflow.mdsources. - Recompiled all 13
.lock.ymlfiles, migrating Copilot auth from theCOPILOT_GITHUB_TOKENsecret togithub.token+S2STOKENS: trueand removing the secret-validation/redaction machinery.
Show a summary per file
| File | Description |
|---|---|
| agent-observability.md / .lock.yml | Adds copilot-requests: write; regenerated lock migrates Copilot token to github.token, adds S2STOKENS |
| archie.md / .lock.yml | Adds permission; regenerated lock drops COPILOT_GITHUB_TOKEN secret + validate step |
| dash.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| dexter.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| docs-consistency-check.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| fix-test-failures.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| issue-triage.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| mgmt-guidance.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| mgmt-review.md / .lock.yml | Adds permission; regenerated lock also normalizes stale continue-on-error on checkout-pr step + trailing newline |
| scribe.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| sentinel.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| tester.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
| upgrade-agentic-workflows.md / .lock.yml | Adds permission; regenerated lock token/secret migration |
Copilot's findings
- Files reviewed: 26/26 changed files
- Comments generated: 0
Reverts #39071 same error as last time `400 400 checking server-to-server token: bad request: GitHub App Server-To-Server Tokens are not supported for this endpoint`
…#39089) This PR updates gh-aw to the latest version (0.81.3) and updates our permissions to use the new `copilot-requests: write` permission per https://github.github.com/gh-aw/reference/auth/#copilot-requests-write-permission Previous attempts at this failed because the version was outdated. During my efforts to upgrade this, I also noticed that gh-aw's MCP server does not seem to work with copilot (fails to initialize) so I have removed that entry from mcp.json. As proof that this *actually* works this time (unlike in #39071 and #38944) I was able to run a successful agent against the PR branch: https://github.com/Azure/azure-sdk-for-js/actions/runs/28194833437/job/83518875360
Updating permissions for agentic workflows
Adds the
copilot-requests: writepermission to the GitHub Agentic Workflow definitions and recompiles their generated lock files.What changed
copilot-requests: writeunderpermissions:in each agentic workflow.mdsource file..lock.ymlviagh aw compileso the generated output matches the source.As a result of recompiling, the workflows now rely on the
copilot-requests: writepermission instead of theCOPILOT_GITHUB_TOKENsecret, so the lock files drop theCOPILOT_GITHUB_TOKENsecret reference and its validation step.Affected workflows
Checklist
copilot-requests: writepermission to workflow.mdsources.lock.ymlfiles from their.mdcounterparts