[opentelemetry.io] Fine-grained organization token with Copilot access #3195
Description
Description
In the opentelemetry.io repo, we've been working on an AI content detection workflow that uses the Copilot CLI to analyze PR diffs and detect potentially AI-generated content. See the related issue on open-telemetry/opentelemetry.io#8520 and the implementation on open-telemetry/opentelemetry.io#8637.
The current workflow is ready to be deployed and tested, but we've hit an authentication limitation (see the workflow run) that didn't show up while testing it in private repos (and also outside an organization).
The current autentication setup uses the otelbot GitHub App, which works great for standard GitHub API operations like reading PRs, posting comments, or adding labels.
The current issue with the workflow is that the Copilot CLI requires user-level permissions, and the GitHub Apps tokens apparently cannot be granted these permissions to access the Copilot CLI. To access the Copilot CLI within a workflow, we would need to create an organization secret containing a fine-grained Personal Access Token (PAT) with the "Copilot Requests" permission. The workflow would then use:
- The
otelbottoken for all repository operations (continues as-is). - Organization fine-grained access token for Copilot CLI authentication only.
Given the requirement for a user-level PAT, and based on my current understanding that the token creator must individually possess a Copilot license, I have some questions regarding the setup for this token:
- Can we take advantage of the organization's Copilot license instead?
- Is it possible to issue this fine-grained token without tying its usage and licensing to an individual user?
/cc @open-telemetry/docs-maintainers