Skip to content

[engsys] Update gh-aw to latest version and enable new billing option#39089

Merged
xirzec merged 3 commits into
mainfrom
workflowBilling
Jun 25, 2026
Merged

[engsys] Update gh-aw to latest version and enable new billing option#39089
xirzec merged 3 commits into
mainfrom
workflowBilling

Conversation

@xirzec

@xirzec xirzec commented Jun 25, 2026

Copy link
Copy Markdown
Member

This PR updates gh-aw to the latest version (0.81.3) and updates our permissions to use the new copilot-requests: write permission per https://github.github.com/gh-aw/reference/auth/#copilot-requests-write-permission

Previous attempts at this failed because the version was outdated. During my efforts to upgrade this, I also noticed that gh-aw's MCP server does not seem to work with copilot (fails to initialize) so I have removed that entry from mcp.json.

As proof that this actually works this time (unlike in #39071 and #38944) I was able to run a successful agent against the PR branch: https://github.com/Azure/azure-sdk-for-js/actions/runs/28194833437/job/83518875360

@xirzec xirzec marked this pull request as ready for review June 25, 2026 19:27
Copilot AI review requested due to automatic review settings June 25, 2026 19:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the repository's GitHub Agentic Workflows (gh-aw) tooling and adopts the new copilot-requests: write permission so the workflows authenticate Copilot inference via the built-in github.token (with S2STOKENS) instead of the COPILOT_GITHUB_TOKEN secret. It also drops the non-functional github-agentic-workflows MCP server entry from .mcp.json and recompiles all workflow lock files to the new gh-aw toolchain (firewall v0.27.7, mcpg v0.3.27, github-mcp-server v1.4.0, checkout v7, github-script v9.0.0), which also introduces the daily AI-credits (AIC) guardrail plumbing and a new generated maintenance workflow.

Changes:

  • Add copilot-requests: write to every agentic workflow .md source and regenerate all .lock.yml files (compiler v0.80.9); switch Copilot auth from COPILOT_GITHUB_TOKEN secret to github.token.
  • Bump pinned action/tool versions (gh-aw 0.77.50.80.9, github-script v8/v9v9.0.0, checkout/cache, etc.) in actions-lock.json, copilot-setup-steps.yml, and lock files; add generated agentics-maintenance.yml.
  • Remove the github-agentic-workflows MCP entry from .mcp.json; add agentic-workflows SKILL router and refresh the agents doc to point at raw.githubusercontent.com/.../main.
Show a summary per file
File Description
.mcp.json Removes the gh-aw MCP server entry (fails to init with Copilot); remains valid JSON
.github/workflows/upgrade-agentic-workflows.md Adds permission; template example hardcodes v0.81.3 over the <new-commit-sha> placeholder (flagged)
.github/workflows/{archie,dash,dexter,mgmt-review,mgmt-guidance,scribe,sentinel,tester,issue-triage,docs-consistency-check,agent-observability,fix-test-failures}.md Add copilot-requests: write; bump github-script to v9.0.0
.github/workflows/fix-test-failures.lock.yml, agent-observability.lock.yml Regenerated to gh-aw v0.80.9; new AIC guardrail jobs, stdio safe-outputs, github.token auth
.github/workflows/copilot-setup-steps.yml Bumps gh-aw setup-cli to v0.80.9 (contradicts description's 0.81.3, flagged)
.github/workflows/agentics-maintenance.yml New generated maintenance workflow (scheduled cleanup + manual ops)
.github/aw/actions-lock.json Updates pinned action SHAs; drops stale @v8/setup@v0.77.5/gh-aw/actions/setup@v0.72.1 (no dangling refs remain)
.github/skills/agentic-workflows/SKILL.md New router skill dispatching gh-aw prompt files
.github/agents/agentic-workflows.md Doc refresh: pins URLs to main, adds token-optimization/patterns routes

Copilot's findings

  • Files reviewed: 27/32 changed files
  • Comments generated: 2

Comment thread .github/workflows/upgrade-agentic-workflows.md
Comment thread .github/workflows/copilot-setup-steps.yml
@xirzec xirzec merged commit b7ba38c into main Jun 25, 2026
28 checks passed
@xirzec xirzec deleted the workflowBilling branch June 25, 2026 20:11
mzhongl524 pushed a commit to mzhongl524/typespec that referenced this pull request Jun 30, 2026
)

## Problem

The agentic triage workflow fails to run with:

```
GitHub Actions / .github/workflows/issue-triage.lock.yml Invalid workflow file
(Line: 388, Col: 17): Unexpected value 'read'
```

This started after microsoft#10984 ("Enable org-billed Copilot auth") replaced
`permissions: read-all` with the gh-aw shorthand:

```yaml
permissions:
  all: read
  copilot-requests: write
```

The `all: read` shorthand expands to **every** permission set to `read`
— including `id-token: read`, which GitHub Actions rejects (`id-token`
only accepts `write` or `none`). Bumping the compiler version alone does
not fix this; the `all: read` source is the culprit.

## Fix

Following the pattern used in
[Azure/azure-sdk-for-js#39089](Azure/azure-sdk-for-js#39089):

- **`issue-triage.md`** & **`bump-tcgc-csharp.md`**: replace `all: read`
with explicit `contents: read` + `issues: read` (keeping
`copilot-requests: write`).
- **`check-agentic-workflows.yml`**: bump the pinned gh-aw from
`v0.79.8` → `v0.80.9` so the drift check matches.
- Recompiled with `gh aw compile` (v0.80.9), regenerating the
`.lock.yml` files, `agentics-maintenance.yml`, and `actions-lock.json`.
- **`.github/actionlint.yml`**: ignore the generated
`agentics-maintenance.yml` — the v0.80.9 generator emits an empty
`workflow_dispatch` choice option (`- ''`) that actionlint flags as a
syntax error. (Same generator output as the reference PR.)

## Verification

- `id-token` no longer appears in any generated workflow.
- Both lock files parse as valid YAML.
- `actionlint` passes locally with exit 0.
- Agent job permissions are now `contents: read`, `issues: read`,
`copilot-requests: write`.

Ref: [Agentic workflows no longer need a
PAT](https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants