Skip to content

Commit 6db070d

Browse files
authored
Merge pull request #45029 from github/repo-sync
Repo sync
2 parents 83af824 + 8b47d60 commit 6db070d

34 files changed

Lines changed: 133 additions & 438 deletions

File tree

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
title: About using Copilot CLI in GitHub Actions
3+
shortTitle: Copilot CLI in Actions
4+
allowTitleToDifferFromFilename: true
5+
intro: 'You can run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using either a {% data variables.product.pat_generic %} or the built-in `GITHUB_TOKEN`. The two approaches differ in how {% data variables.product.prodname_ai_credits_short %} are billed and what setup is required.'
6+
versions:
7+
feature: copilot
8+
contentType: concepts
9+
category:
10+
- Learn about Copilot CLI # Copilot CLI bespoke page
11+
docsTeamMetrics:
12+
- copilot-cli
13+
---
14+
15+
## Authentication and billing options
16+
17+
When you run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow, you can authenticate using either a {% data variables.product.pat_generic %} (PAT) or the built-in `GITHUB_TOKEN`.
18+
19+
* **Using a PAT**: The workflow authenticates as the user who created the PAT. {% data variables.product.prodname_ai_credits_short %} are drawn from that user's {% data variables.product.prodname_copilot_short %} seat entitlements, and their license determines which models and features are available. This works in any repository but introduces operational and security risks for organizations running automations at scale.
20+
* **Using `GITHUB_TOKEN`**: The workflow authenticates as an installation, with no individual user associated with the request. How {% data variables.product.prodname_ai_credits_short %} are billed depends on where the workflow runs:
21+
22+
* In a **personally-owned repository**, usage is billed to the repository owner's {% data variables.product.prodname_copilot_short %} seat.
23+
* In an **organization-owned repository**, usage is metered directly to the organization. This requires the **"Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization"** policy to be enabled by an organization owner.
24+
25+
Using `GITHUB_TOKEN` in an organization-owned repository is the recommended approach for automations. Each workflow run receives a short-lived, scoped token generated by {% data variables.product.prodname_actions %}, so no long-lived credentials need to be stored or rotated.
26+
27+
Note that this policy is separate from your {% data variables.product.prodname_copilot_short %} licensing setup. Enterprises that issue licenses through a dedicated organization and do their work in other organizations do not need {% data variables.product.prodname_copilot_short %} licensing enabled in the working organization, only the policy.
28+
29+
## Controlling cost
30+
31+
When usage is billed directly to the organization, user-level {% data variables.product.prodname_copilot_short %} budgets are not considered, because the cost is not attributed to any individual user. To manage spend for {% data variables.copilot.copilot_cli_short %} usage billed this way, you can:
32+
33+
* Configure cost centers for the relevant organizations. Cost centers allow cost attribution to groups of organizations, and budgets can be applied to cost centers. See [AUTOTITLE](/billing/concepts/cost-centers).
34+
* Monitor {% data variables.product.prodname_copilot_short %} usage from your organization's billing and usage dashboards to track consumption over time.
35+
36+
## Security considerations
37+
38+
Running {% data variables.copilot.copilot_cli_short %} in automated workflows introduces security risks that are independent of which authentication method you use. Because {% data variables.copilot.copilot_cli_short %} is an agentic tool that can read and modify repository contents, a compromised or misconfigured workflow can cause unintended changes.
39+
40+
To reduce risk:
41+
42+
* Use [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking {% data variables.copilot.copilot_cli_short %} directly in `run` steps. Agentic Workflows are designed with guardrails for automated use.
43+
* Follow the principle of least privilege when setting workflow permissions.
44+
* Review workflow triggers carefully. Workflows that run on pull request events from forks are at higher risk of prompt injection.
45+
46+
## Next steps
47+
48+
To learn how to set up {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow, see [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).

content/copilot/concepts/agents/copilot-cli/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ versions:
88
children:
99
- /about-copilot-cli
1010
- /comparing-cli-features
11+
- /copilot-cli-in-github-actions
1112
- /cancel-and-roll-back
1213
- /about-remote-control
1314
- /about-custom-agents

content/copilot/how-tos/copilot-cli/automate-copilot-cli/automate-with-actions.md

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,18 @@ docsTeamMetrics:
1717

1818
You can run {% data variables.copilot.copilot_cli %} in a {% data variables.product.prodname_actions %} workflow to automate AI-powered tasks as part of your CI/CD process. For example, you can summarize recent repository activity, generate reports, or scaffold project content. {% data variables.copilot.copilot_cli %} runs on the Actions runner like any other CLI tool, so you can install it during a job and invoke it from workflow steps.
1919

20+
## Recommended approach: {% data variables.product.github %} Agentic Workflows
21+
22+
For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.
23+
24+
For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation.
25+
2026
## Using {% data variables.copilot.copilot_cli_short %} in an Actions workflow
2127

2228
You can define a job in a {% data variables.product.prodname_actions %} workflow that: installs {% data variables.copilot.copilot_cli_short %} on the runner, authenticates it, runs it in programmatic mode, and then handles the results. Programmatic mode is designed for scripts and automation and lets you pass a prompt non-interactively.
2329

2430
Workflows can follow this pattern:
31+
2532
1. **Trigger**: Start the workflow on a schedule, in response to repository events, or manually.
2633
1. **Setup**: Checkout code, set up environment.
2734
1. **Install**: Install {% data variables.copilot.copilot_cli %} on the runner.
@@ -118,14 +125,19 @@ In this example, the workflow installs {% data variables.copilot.copilot_cli %}
118125

119126
## Authenticate
120127

121-
To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to authenticate a {% data variables.product.github %} user account with a valid {% data variables.product.prodname_copilot_short %} license.
128+
To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to provide authentication credentials. There are two options:
129+
130+
* **Using `GITHUB_TOKEN`** (recommended for organization-owned repositories): No PAT or stored secrets required. See [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).
131+
* **Using a {% data variables.product.pat_generic %}**: An alternative to `GITHUB_TOKEN`, for example if your organization has not enabled the policy, or if you want usage billed to a specific user's {% data variables.product.prodname_copilot_short %} seat. Follow the steps below.
132+
133+
**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "{% data variables.product.prodname_copilot_short %} Requests" permission:**
122134

123-
**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "Copilot Requests" permission:**
124135
1. Go to your personal settings for creating a {% data variables.product.pat_v2 %}: [github.com/settings/personal-access-tokens/new](https://github.com/settings/personal-access-tokens/new?ref_product=copilot&ref_type=engagement&ref_style=text).
125-
1. Create a new PAT with the "Copilot Requests" permission.
136+
1. Create a new PAT with the "{% data variables.product.prodname_copilot_short %} Requests" permission.
126137
1. Copy the token value.
127138

128139
**Step 2: Store the PAT as an Actions repository secret:**
140+
129141
1. In your repository, go to **Settings** > **Secrets and variables** > **Actions** and click **New repository secret**.
130142
1. Give the secret a name that you will use in the workflow. In this example we're using `PERSONAL_ACCESS_TOKEN` as the name of the secret.
131143
1. Paste the token value into the "Secret" field and click **Add secret**.

content/copilot/how-tos/copilot-cli/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ children:
2121
- /automate-copilot-cli
2222
- /customize-copilot
2323
- /administer-copilot-cli-for-your-enterprise
24+
- /use-copilot-cli-in-actions
2425
- /automate-copilot-cli/automate-with-actions
2526
- /automate-copilot-cli/quickstart
2627
- /automate-copilot-cli/run-cli-programmatically
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
title: Using Copilot CLI in GitHub Actions with GITHUB_TOKEN
3+
shortTitle: Copilot CLI in Actions
4+
intro: 'Run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using the built-in `GITHUB_TOKEN`, without a {% data variables.product.pat_generic %}.'
5+
versions:
6+
feature: copilot
7+
contentType: how-tos
8+
allowTitleToDifferFromFilename: true
9+
category:
10+
- Manage Copilot for a team # Copilot discovery page
11+
- Administer Copilot CLI # Copilot CLI bespoke landing page
12+
docsTeamMetrics:
13+
- copilot-cli
14+
---
15+
16+
For background on authentication options and how billing works when running {% data variables.copilot.copilot_cli_short %} in {% data variables.product.prodname_actions %}, see [AUTOTITLE](/copilot/concepts/agents/copilot-cli/copilot-cli-in-github-actions).
17+
18+
## Enabling the policy
19+
20+
For workflows in your organization to use {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN`, the policy must be enabled. This policy is enabled by default for organizations with {% data variables.copilot.copilot_cli_short %} turned on, but you can confirm or change this setting in your organization's policy settings.
21+
22+
1. Navigate to the policy settings for your organization. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-policies).
23+
1. Under "{% data variables.copilot.copilot_cli_short %}", confirm that **Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization** is selected.
24+
25+
## Recommended approach: {% data variables.product.github %} Agentic Workflows
26+
27+
For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.
28+
29+
For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation. Your workflow must also grant the `copilot-requests: write` permission. See [Permissions](https://github.github.com/gh-aw/reference/permissions/) in the {% data variables.product.github %} Agentic Workflows documentation.
30+
31+
## Using {% data variables.copilot.copilot_cli_short %} directly in a workflow
32+
33+
If you need to invoke {% data variables.copilot.copilot_cli_short %} directly in a workflow step, install the CLI with npm.
34+
35+
> [!WARNING]
36+
> Invoking {% data variables.copilot.copilot_cli_short %} directly in workflow steps gives it broad access to your workflow environment. Review your workflow triggers and permissions carefully before using this approach. Workflows triggered by pull requests from forks are particularly at risk.
37+
38+
### Example workflow
39+
40+
```yaml
41+
name: Copilot CLI example
42+
on: [push]
43+
44+
permissions:
45+
contents: read
46+
copilot-requests: write
47+
48+
jobs:
49+
copilot:
50+
runs-on: ubuntu-latest
51+
steps:
52+
- uses: {% data reusables.actions.action-checkout %}
53+
- name: Install Copilot CLI
54+
run: npm install -g @github/copilot
55+
- name: Run Copilot
56+
run: copilot --yolo -p "Summarize the changes in this commit"
57+
env:
58+
GITHUB_TOKEN: ${{ github.token }}
59+
```
60+
61+
Key details about this example:
62+
63+
* The `--yolo` flag suppresses interactive prompts, which is required for non-interactive environments like {% data variables.product.prodname_actions %}.
64+
* The `copilot-requests: write` permission is required for the workflow to make {% data variables.product.prodname_copilot_short %} requests.
65+
* The `GITHUB_TOKEN` provided by {% data variables.product.prodname_actions %} handles authentication automatically, no additional secrets are needed.
66+
67+
> [!NOTE]
68+
> You must be on a recent version of {% data variables.copilot.copilot_cli_short %} to use `GITHUB_TOKEN` authentication. Update with `copilot update`, or reinstall the latest version with `npm install -g @github/copilot`.

package-lock.json

Lines changed: 0 additions & 33 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,6 @@
259259
"remark-rehype": "^11.1.2",
260260
"remark-remove-comments": "^1.1.1",
261261
"remark-stringify": "^11.0.0",
262-
"scroll-anchoring": "^0.1.0",
263262
"semver": "^7.7.4",
264263
"sharp": "0.33.5",
265264
"slash": "^5.1.0",
@@ -288,7 +287,6 @@
288287
"@types/cookie": "0.6.0",
289288
"@types/cookie-parser": "1.4.8",
290289
"@types/eslint-plugin-jsx-a11y": "^6.10.1",
291-
"@types/event-to-promise": "^0.7.5",
292290
"@types/express": "^5.0.6",
293291
"@types/imurmurhash": "^0.1.4",
294292
"@types/js-cookie": "^3.0.6",
@@ -313,7 +311,6 @@
313311
"eslint-config-prettier": "^10.1.8",
314312
"eslint-import-resolver-typescript": "^4.4.4",
315313
"eslint-plugin-custom-rules": "file:src/eslint-rules",
316-
"eslint-plugin-escompat": "^3.11.4",
317314
"eslint-plugin-eslint-comments": "^3.2.0",
318315
"eslint-plugin-filenames": "^1.3.2",
319316
"eslint-plugin-github": "^6.0.0",
@@ -323,7 +320,6 @@
323320
"eslint-plugin-no-only-tests": "^3.3.0",
324321
"eslint-plugin-prettier": "^5.5.5",
325322
"eslint-plugin-primer-react": "^9.0.0",
326-
"event-to-promise": "^0.8.0",
327323
"globals": "^17.3.0",
328324
"gpt-tokenizer": "^3.4.0",
329325
"graphql": "^16.12.0",
@@ -341,7 +337,6 @@
341337
"patch-package": "^8.0.1",
342338
"prettier": "^3.8.1",
343339
"rimraf": "^6.1.3",
344-
"robots-parser": "^3.0.1",
345340
"sass": "^1.97.3",
346341
"start-server-and-test": "^3.0.0",
347342
"unist-util-remove": "^4.0.0",

src/content-linter/lib/helpers/liquid-utils.ts

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,6 @@ export function getLiquidTokens(
3030

3131
export const OUTPUT_OPEN = '{%'
3232
export const OUTPUT_CLOSE = '%}'
33-
export const TAG_OPEN = '{{'
34-
export const TAG_CLOSE = '}}'
3533

3634
export const conditionalTags = ['if', 'elseif', 'unless', 'case', 'ifversion']
3735

0 commit comments

Comments
 (0)