Skip to content

Enable org-billed Copilot auth for agentic workflows#10984

Merged
timotheeguerin merged 6 commits into
mainfrom
copilot/enable-org-wide-billing
Jun 24, 2026
Merged

Enable org-billed Copilot auth for agentic workflows#10984
timotheeguerin merged 6 commits into
mainfrom
copilot/enable-org-wide-billing

Conversation

Copilot AI commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

This updates the repository’s agentic workflows to use the current Copilot permission model for org-wide billing. The workflows no longer depend on the legacy COPILOT_GITHUB_TOKEN secret path for Copilot inference.

  • Workflow source updates

    • Updated the agentic workflow frontmatter in:
      • .github/workflows/bump-tcgc-csharp.md
      • .github/workflows/issue-triage.md
    • Replaced broad read-all shorthand with explicit permissions that preserve read access while enabling Copilot requests:
      permissions:
        all: read
        copilot-requests: write
  • Generated workflow refresh

    • Recompiled the corresponding .lock.yml files so generated workflows match the new auth model.
    • The generated workflows now use github.token for Copilot auth instead of the old secret-validation flow.
  • Behavioral impact

    • Removes reliance on the previous Copilot token setup for these agentic workflows.
    • Aligns workflow auth with the current org-billed Copilot execution path.

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
Comment thread .github/dependabot.yml
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
@timotheeguerin

Copy link
Copy Markdown
Member

@copilot fix formatting and lint

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>

Copilot AI commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

@copilot fix formatting and lint

Addressed in 7f4525c.

Comment thread .github/workflows/agentics-maintenance.yml
Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
@timotheeguerin

Copy link
Copy Markdown
Member

@copilot lint and check agentic worflows workflow is failing now

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>

Copilot AI commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

@copilot lint and check agentic worflows workflow is failing now

Addressed in d8292cd.

@timotheeguerin

Copy link
Copy Markdown
Member

@copilot lint workflow is failing

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>

Copilot AI commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot lint workflow is failing

Addressed in 5705d26.

@timotheeguerin timotheeguerin marked this pull request as ready for review June 16, 2026 12:58
@azure-sdk-automation

Copy link
Copy Markdown

You can try these changes here

🛝 Playground 🌐 Website 🛝 VSCode Extension

@timotheeguerin timotheeguerin added this pull request to the merge queue Jun 24, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 24, 2026
@timotheeguerin timotheeguerin added this pull request to the merge queue Jun 24, 2026
Merged via the queue into main with commit d5dd526 Jun 24, 2026
34 of 35 checks passed
@timotheeguerin timotheeguerin deleted the copilot/enable-org-wide-billing branch June 24, 2026 22:16
mzhongl524 pushed a commit to mzhongl524/typespec that referenced this pull request Jun 30, 2026
)

## Problem

The agentic triage workflow fails to run with:

```
GitHub Actions / .github/workflows/issue-triage.lock.yml Invalid workflow file
(Line: 388, Col: 17): Unexpected value 'read'
```

This started after microsoft#10984 ("Enable org-billed Copilot auth") replaced
`permissions: read-all` with the gh-aw shorthand:

```yaml
permissions:
  all: read
  copilot-requests: write
```

The `all: read` shorthand expands to **every** permission set to `read`
— including `id-token: read`, which GitHub Actions rejects (`id-token`
only accepts `write` or `none`). Bumping the compiler version alone does
not fix this; the `all: read` source is the culprit.

## Fix

Following the pattern used in
[Azure/azure-sdk-for-js#39089](Azure/azure-sdk-for-js#39089):

- **`issue-triage.md`** & **`bump-tcgc-csharp.md`**: replace `all: read`
with explicit `contents: read` + `issues: read` (keeping
`copilot-requests: write`).
- **`check-agentic-workflows.yml`**: bump the pinned gh-aw from
`v0.79.8` → `v0.80.9` so the drift check matches.
- Recompiled with `gh aw compile` (v0.80.9), regenerating the
`.lock.yml` files, `agentics-maintenance.yml`, and `actions-lock.json`.
- **`.github/actionlint.yml`**: ignore the generated
`agentics-maintenance.yml` — the v0.80.9 generator emits an empty
`workflow_dispatch` choice option (`- ''`) that actionlint flags as a
syntax error. (Same generator output as the reference PR.)

## Verification

- `id-token` no longer appears in any generated workflow.
- Both lock files parse as valid YAML.
- `actionlint` passes locally with exit 0.
- Agent job permissions are now `contents: read`, `issues: read`,
`copilot-requests: write`.

Ref: [Agentic workflows no longer need a
PAT](https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants