You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
intro: 'You can run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using either a {% data variables.product.pat_generic %} or the built-in `GITHUB_TOKEN`. The two approaches differ in how {% data variables.product.prodname_ai_credits_short %} are billed and what setup is required.'
6
+
versions:
7
+
feature: copilot
8
+
contentType: concepts
9
+
category:
10
+
- Learn about Copilot CLI # Copilot CLI bespoke page
11
+
docsTeamMetrics:
12
+
- copilot-cli
13
+
---
14
+
15
+
## Authentication and billing options
16
+
17
+
When you run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow, you can authenticate using either a {% data variables.product.pat_generic %} (PAT) or the built-in `GITHUB_TOKEN`.
18
+
19
+
***Using a PAT**: The workflow authenticates as the user who created the PAT. {% data variables.product.prodname_ai_credits_short %} are drawn from that user's {% data variables.product.prodname_copilot_short %} seat entitlements, and their license determines which models and features are available. This works in any repository but introduces operational and security risks for organizations running automations at scale.
20
+
***Using `GITHUB_TOKEN`**: The workflow authenticates as an installation, with no individual user associated with the request. How {% data variables.product.prodname_ai_credits_short %} are billed depends on where the workflow runs:
21
+
22
+
* In a **personally-owned repository**, usage is billed to the repository owner's {% data variables.product.prodname_copilot_short %} seat.
23
+
* In an **organization-owned repository**, usage is metered directly to the organization. This requires the **"Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization"** policy to be enabled by an organization owner.
24
+
25
+
Using `GITHUB_TOKEN` in an organization-owned repository is the recommended approach for automations. Each workflow run receives a short-lived, scoped token generated by {% data variables.product.prodname_actions %}, so no long-lived credentials need to be stored or rotated.
26
+
27
+
Note that this policy is separate from your {% data variables.product.prodname_copilot_short %} licensing setup. Enterprises that issue licenses through a dedicated organization and do their work in other organizations do not need {% data variables.product.prodname_copilot_short %} licensing enabled in the working organization, only the policy.
28
+
29
+
## Controlling cost
30
+
31
+
When usage is billed directly to the organization, user-level {% data variables.product.prodname_copilot_short %} budgets are not considered, because the cost is not attributed to any individual user. To manage spend for {% data variables.copilot.copilot_cli_short %} usage billed this way, you can:
32
+
33
+
* Configure cost centers for the relevant organizations. Cost centers allow cost attribution to groups of organizations, and budgets can be applied to cost centers. See [AUTOTITLE](/billing/concepts/cost-centers).
34
+
* Monitor {% data variables.product.prodname_copilot_short %} usage from your organization's billing and usage dashboards to track consumption over time.
35
+
36
+
## Security considerations
37
+
38
+
Running {% data variables.copilot.copilot_cli_short %} in automated workflows introduces security risks that are independent of which authentication method you use. Because {% data variables.copilot.copilot_cli_short %} is an agentic tool that can read and modify repository contents, a compromised or misconfigured workflow can cause unintended changes.
39
+
40
+
To reduce risk:
41
+
42
+
* Use [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking {% data variables.copilot.copilot_cli_short %} directly in `run` steps. Agentic Workflows are designed with guardrails for automated use.
43
+
* Follow the principle of least privilege when setting workflow permissions.
44
+
* Review workflow triggers carefully. Workflows that run on pull request events from forks are at higher risk of prompt injection.
45
+
46
+
## Next steps
47
+
48
+
To learn how to set up {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow, see [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).
Copy file name to clipboardExpand all lines: content/copilot/how-tos/copilot-cli/automate-copilot-cli/automate-with-actions.md
+15-3Lines changed: 15 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,11 +17,18 @@ docsTeamMetrics:
17
17
18
18
You can run {% data variables.copilot.copilot_cli %} in a {% data variables.product.prodname_actions %} workflow to automate AI-powered tasks as part of your CI/CD process. For example, you can summarize recent repository activity, generate reports, or scaffold project content. {% data variables.copilot.copilot_cli %} runs on the Actions runner like any other CLI tool, so you can install it during a job and invoke it from workflow steps.
19
19
20
+
## Recommended approach: {% data variables.product.github %} Agentic Workflows
21
+
22
+
For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.
23
+
24
+
For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation.
25
+
20
26
## Using {% data variables.copilot.copilot_cli_short %} in an Actions workflow
21
27
22
28
You can define a job in a {% data variables.product.prodname_actions %} workflow that: installs {% data variables.copilot.copilot_cli_short %} on the runner, authenticates it, runs it in programmatic mode, and then handles the results. Programmatic mode is designed for scripts and automation and lets you pass a prompt non-interactively.
23
29
24
30
Workflows can follow this pattern:
31
+
25
32
1.**Trigger**: Start the workflow on a schedule, in response to repository events, or manually.
26
33
1.**Setup**: Checkout code, set up environment.
27
34
1.**Install**: Install {% data variables.copilot.copilot_cli %} on the runner.
@@ -118,14 +125,19 @@ In this example, the workflow installs {% data variables.copilot.copilot_cli %}
118
125
119
126
## Authenticate
120
127
121
-
To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to authenticate a {% data variables.product.github %} user account with a valid {% data variables.product.prodname_copilot_short %} license.
128
+
To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to provide authentication credentials. There are two options:
129
+
130
+
* **Using `GITHUB_TOKEN`** (recommended for organization-owned repositories): No PAT or stored secrets required. See [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).
131
+
* **Using a {% data variables.product.pat_generic %}**: An alternative to `GITHUB_TOKEN`, for example if your organization has not enabled the policy, or if you want usage billed to a specific user's {% data variables.product.prodname_copilot_short %} seat. Follow the steps below.
132
+
133
+
**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "{% data variables.product.prodname_copilot_short %} Requests" permission:**
122
134
123
-
**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "Copilot Requests" permission:**
124
135
1. Go to your personal settings for creating a {% data variables.product.pat_v2 %}: [github.com/settings/personal-access-tokens/new](https://github.com/settings/personal-access-tokens/new?ref_product=copilot&ref_type=engagement&ref_style=text).
125
-
1. Create a new PAT with the "Copilot Requests" permission.
136
+
1. Create a new PAT with the "{% data variables.product.prodname_copilot_short %} Requests" permission.
126
137
1. Copy the token value.
127
138
128
139
**Step 2: Store the PAT as an Actions repository secret:**
140
+
129
141
1. In your repository, go to **Settings** > **Secrets and variables** > **Actions** and click **New repository secret**.
130
142
1. Give the secret a name that you will use in the workflow. In this example we're using `PERSONAL_ACCESS_TOKEN` as the name of the secret.
131
143
1. Paste the token value into the "Secret" field and click **Add secret**.
title: Using Copilot CLI in GitHub Actions with GITHUB_TOKEN
3
+
shortTitle: Copilot CLI in Actions
4
+
intro: 'Run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using the built-in `GITHUB_TOKEN`, without a {% data variables.product.pat_generic %}.'
5
+
versions:
6
+
feature: copilot
7
+
contentType: how-tos
8
+
allowTitleToDifferFromFilename: true
9
+
category:
10
+
- Manage Copilot for a team # Copilot discovery page
11
+
- Administer Copilot CLI # Copilot CLI bespoke landing page
12
+
docsTeamMetrics:
13
+
- copilot-cli
14
+
---
15
+
16
+
For background on authentication options and how billing works when running {% data variables.copilot.copilot_cli_short %} in {% data variables.product.prodname_actions %}, see [AUTOTITLE](/copilot/concepts/agents/copilot-cli/copilot-cli-in-github-actions).
17
+
18
+
## Enabling the policy
19
+
20
+
For workflows in your organization to use {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN`, the policy must be enabled. This policy is enabled by default for organizations with {% data variables.copilot.copilot_cli_short %} turned on, but you can confirm or change this setting in your organization's policy settings.
21
+
22
+
1. Navigate to the policy settings for your organization. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-policies).
23
+
1. Under "{% data variables.copilot.copilot_cli_short %}", confirm that **Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization** is selected.
24
+
25
+
## Recommended approach: {% data variables.product.github %} Agentic Workflows
26
+
27
+
For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.
28
+
29
+
For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation. Your workflow must also grant the `copilot-requests: write` permission. See [Permissions](https://github.github.com/gh-aw/reference/permissions/) in the {% data variables.product.github %} Agentic Workflows documentation.
30
+
31
+
## Using {% data variables.copilot.copilot_cli_short %} directly in a workflow
32
+
33
+
If you need to invoke {% data variables.copilot.copilot_cli_short %} directly in a workflow step, install the CLI with npm.
34
+
35
+
> [!WARNING]
36
+
> Invoking {% data variables.copilot.copilot_cli_short %} directly in workflow steps gives it broad access to your workflow environment. Review your workflow triggers and permissions carefully before using this approach. Workflows triggered by pull requests from forks are particularly at risk.
37
+
38
+
### Example workflow
39
+
40
+
```yaml
41
+
name: Copilot CLI example
42
+
on: [push]
43
+
44
+
permissions:
45
+
contents: read
46
+
copilot-requests: write
47
+
48
+
jobs:
49
+
copilot:
50
+
runs-on: ubuntu-latest
51
+
steps:
52
+
- uses: {% data reusables.actions.action-checkout %}
53
+
- name: Install Copilot CLI
54
+
run: npm install -g @github/copilot
55
+
- name: Run Copilot
56
+
run: copilot --yolo -p "Summarize the changes in this commit"
57
+
env:
58
+
GITHUB_TOKEN: ${{ github.token }}
59
+
```
60
+
61
+
Key details about this example:
62
+
63
+
* The `--yolo` flag suppresses interactive prompts, which is required for non-interactive environments like {% data variables.product.prodname_actions %}.
64
+
* The `copilot-requests: write` permission is required for the workflow to make {% data variables.product.prodname_copilot_short %} requests.
65
+
* The `GITHUB_TOKEN` provided by {% data variables.product.prodname_actions %} handles authentication automatically, no additional secrets are needed.
66
+
67
+
> [!NOTE]
68
+
> You must be on a recent version of {% data variables.copilot.copilot_cli_short %} to use `GITHUB_TOKEN` authentication. Update with `copilot update`, or reinstall the latest version with `npm install -g @github/copilot`.
0 commit comments