[engsys] Update gh-aw to latest version and enable new billing option#39089
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR upgrades the repository's GitHub Agentic Workflows (gh-aw) tooling and adopts the new copilot-requests: write permission so the workflows authenticate Copilot inference via the built-in github.token (with S2STOKENS) instead of the COPILOT_GITHUB_TOKEN secret. It also drops the non-functional github-agentic-workflows MCP server entry from .mcp.json and recompiles all workflow lock files to the new gh-aw toolchain (firewall v0.27.7, mcpg v0.3.27, github-mcp-server v1.4.0, checkout v7, github-script v9.0.0), which also introduces the daily AI-credits (AIC) guardrail plumbing and a new generated maintenance workflow.
Changes:
- Add
copilot-requests: writeto every agentic workflow.mdsource and regenerate all.lock.ymlfiles (compilerv0.80.9); switch Copilot auth fromCOPILOT_GITHUB_TOKENsecret togithub.token. - Bump pinned action/tool versions (gh-aw
0.77.5→0.80.9, github-scriptv8/v9→v9.0.0, checkout/cache, etc.) inactions-lock.json,copilot-setup-steps.yml, and lock files; add generatedagentics-maintenance.yml. - Remove the
github-agentic-workflowsMCP entry from.mcp.json; addagentic-workflowsSKILL router and refresh the agents doc to point atraw.githubusercontent.com/.../main.
Show a summary per file
| File | Description |
|---|---|
.mcp.json |
Removes the gh-aw MCP server entry (fails to init with Copilot); remains valid JSON |
.github/workflows/upgrade-agentic-workflows.md |
Adds permission; template example hardcodes v0.81.3 over the <new-commit-sha> placeholder (flagged) |
.github/workflows/{archie,dash,dexter,mgmt-review,mgmt-guidance,scribe,sentinel,tester,issue-triage,docs-consistency-check,agent-observability,fix-test-failures}.md |
Add copilot-requests: write; bump github-script to v9.0.0 |
.github/workflows/fix-test-failures.lock.yml, agent-observability.lock.yml |
Regenerated to gh-aw v0.80.9; new AIC guardrail jobs, stdio safe-outputs, github.token auth |
.github/workflows/copilot-setup-steps.yml |
Bumps gh-aw setup-cli to v0.80.9 (contradicts description's 0.81.3, flagged) |
.github/workflows/agentics-maintenance.yml |
New generated maintenance workflow (scheduled cleanup + manual ops) |
.github/aw/actions-lock.json |
Updates pinned action SHAs; drops stale @v8/setup@v0.77.5/gh-aw/actions/setup@v0.72.1 (no dangling refs remain) |
.github/skills/agentic-workflows/SKILL.md |
New router skill dispatching gh-aw prompt files |
.github/agents/agentic-workflows.md |
Doc refresh: pins URLs to main, adds token-optimization/patterns routes |
Copilot's findings
- Files reviewed: 27/32 changed files
- Comments generated: 2
jeremymeng
approved these changes
Jun 25, 2026
This was referenced Jun 26, 2026
mzhongl524
pushed a commit
to mzhongl524/typespec
that referenced
this pull request
Jun 30, 2026
) ## Problem The agentic triage workflow fails to run with: ``` GitHub Actions / .github/workflows/issue-triage.lock.yml Invalid workflow file (Line: 388, Col: 17): Unexpected value 'read' ``` This started after microsoft#10984 ("Enable org-billed Copilot auth") replaced `permissions: read-all` with the gh-aw shorthand: ```yaml permissions: all: read copilot-requests: write ``` The `all: read` shorthand expands to **every** permission set to `read` — including `id-token: read`, which GitHub Actions rejects (`id-token` only accepts `write` or `none`). Bumping the compiler version alone does not fix this; the `all: read` source is the culprit. ## Fix Following the pattern used in [Azure/azure-sdk-for-js#39089](Azure/azure-sdk-for-js#39089): - **`issue-triage.md`** & **`bump-tcgc-csharp.md`**: replace `all: read` with explicit `contents: read` + `issues: read` (keeping `copilot-requests: write`). - **`check-agentic-workflows.yml`**: bump the pinned gh-aw from `v0.79.8` → `v0.80.9` so the drift check matches. - Recompiled with `gh aw compile` (v0.80.9), regenerating the `.lock.yml` files, `agentics-maintenance.yml`, and `actions-lock.json`. - **`.github/actionlint.yml`**: ignore the generated `agentics-maintenance.yml` — the v0.80.9 generator emits an empty `workflow_dispatch` choice option (`- ''`) that actionlint flags as a syntax error. (Same generator output as the reference PR.) ## Verification - `id-token` no longer appears in any generated workflow. - Both lock files parse as valid YAML. - `actionlint` passes locally with exit 0. - Agent job permissions are now `contents: read`, `issues: read`, `copilot-requests: write`. Ref: [Agentic workflows no longer need a PAT](https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates gh-aw to the latest version (0.81.3) and updates our permissions to use the new
copilot-requests: writepermission per https://github.github.com/gh-aw/reference/auth/#copilot-requests-write-permissionPrevious attempts at this failed because the version was outdated. During my efforts to upgrade this, I also noticed that gh-aw's MCP server does not seem to work with copilot (fails to initialize) so I have removed that entry from mcp.json.
As proof that this actually works this time (unlike in #39071 and #38944) I was able to run a successful agent against the PR branch: https://github.com/Azure/azure-sdk-for-js/actions/runs/28194833437/job/83518875360