Enable org-billed Copilot auth for agentic workflows#10984
Merged
Conversation
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
timotheeguerin
June 12, 2026 21:38
View session
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Member
|
@copilot fix formatting and lint |
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Contributor
Author
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Member
|
@copilot lint and check agentic worflows workflow is failing now |
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Contributor
Author
Member
|
@copilot lint workflow is failing |
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Contributor
Author
|
You can try these changes here
|
markcowl
approved these changes
Jun 24, 2026
This was referenced Jun 26, 2026
mzhongl524
pushed a commit
to mzhongl524/typespec
that referenced
this pull request
Jun 30, 2026
) ## Problem The agentic triage workflow fails to run with: ``` GitHub Actions / .github/workflows/issue-triage.lock.yml Invalid workflow file (Line: 388, Col: 17): Unexpected value 'read' ``` This started after microsoft#10984 ("Enable org-billed Copilot auth") replaced `permissions: read-all` with the gh-aw shorthand: ```yaml permissions: all: read copilot-requests: write ``` The `all: read` shorthand expands to **every** permission set to `read` — including `id-token: read`, which GitHub Actions rejects (`id-token` only accepts `write` or `none`). Bumping the compiler version alone does not fix this; the `all: read` source is the culprit. ## Fix Following the pattern used in [Azure/azure-sdk-for-js#39089](Azure/azure-sdk-for-js#39089): - **`issue-triage.md`** & **`bump-tcgc-csharp.md`**: replace `all: read` with explicit `contents: read` + `issues: read` (keeping `copilot-requests: write`). - **`check-agentic-workflows.yml`**: bump the pinned gh-aw from `v0.79.8` → `v0.80.9` so the drift check matches. - Recompiled with `gh aw compile` (v0.80.9), regenerating the `.lock.yml` files, `agentics-maintenance.yml`, and `actions-lock.json`. - **`.github/actionlint.yml`**: ignore the generated `agentics-maintenance.yml` — the v0.80.9 generator emits an empty `workflow_dispatch` choice option (`- ''`) that actionlint flags as a syntax error. (Same generator output as the reference PR.) ## Verification - `id-token` no longer appears in any generated workflow. - Both lock files parse as valid YAML. - `actionlint` passes locally with exit 0. - Agent job permissions are now `contents: read`, `issues: read`, `copilot-requests: write`. Ref: [Agentic workflows no longer need a PAT](https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This updates the repository’s agentic workflows to use the current Copilot permission model for org-wide billing. The workflows no longer depend on the legacy
COPILOT_GITHUB_TOKENsecret path for Copilot inference.Workflow source updates
.github/workflows/bump-tcgc-csharp.md.github/workflows/issue-triage.mdread-allshorthand with explicit permissions that preserve read access while enabling Copilot requests:Generated workflow refresh
.lock.ymlfiles so generated workflows match the new auth model.github.tokenfor Copilot auth instead of the old secret-validation flow.Behavioral impact