Cloud & DevOpsSecurityDeveloper Tools

GitHub Copilot CLI in Actions: Drop the PAT, Use GITHUB_TOKEN

GitHub Actions workflow diagram showing GITHUB_TOKEN replacing PAT for Copilot CLI authentication, with a secure padlock icon on blue background
GitHub Copilot CLI in Actions now uses the built-in GITHUB_TOKEN instead of long-lived personal access tokens

On July 2, GitHub shipped a quiet but meaningful change: Copilot CLI running inside GitHub Actions no longer needs a personal access token. The built-in GITHUB_TOKEN now handles authentication on its own. For teams running Copilot at any kind of scale across multiple repositories, that one-line permission change has real operational weight behind it.

The Old Setup — and Why It Was a Problem

Before this change, wiring Copilot CLI into a GitHub Actions workflow meant the same ritual every team knew: mint a PAT with the right Copilot scopes, encrypt it as a repo or org secret, reference it as an environment variable, and then quietly hope nobody forgets it exists. The token usually belonged to whoever set it up — often the platform engineer who moved teams six months later. When their Copilot seat got reassigned, automations broke silently. Or worse, the token stayed active long after it should have been revoked.

That pattern has a name in security circles: a ghost credential. It powers production systems, but no one currently owns it, no one is rotating it, and auditors flag it in every compliance review. The tj-actions supply chain attack in 2025 and the Trivy breach in 2026 both ran on the same exploit path: extract a PAT from a runner, reuse it. PATs in CI have been the softest target in the GitHub attack surface for years.

What Changed

GitHub extended GITHUB_TOKEN to include Copilot CLI authentication. All a workflow needs is the copilot-requests: write permission declared in its permissions: block. No secrets. No tokens to manage. The token is ephemeral — it expires the moment the workflow run ends, which means even if a malicious action exfiltrated it during the job, there is nothing left to reuse afterward.

name: AI-Powered Code Review
on: [pull_request]

permissions:
  contents: read
  copilot-requests: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
      - name: Install Copilot CLI
        run: npm install -g @github/copilot
      - name: Run Copilot Review
        run: copilot --yolo -p "Review this PR for security issues and suggest improvements"

Compare that to the old pattern where env: GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} referenced a human-created secret that lived indefinitely in your secrets store. The --yolo flag suppresses interactive prompts and is required for non-interactive CI environments. No other changes are needed in the workflow file.

How to Migrate

The migration is straightforward, but there is one org-level prerequisite. You need the “Allow use of Copilot CLI billed to the organization” policy enabled — which is on by default if your org already had the “Copilot CLI” policy enabled. From there:

  1. Update Copilot CLI: copilot update or npm install -g @github/copilot
  2. Add copilot-requests: write to the permissions: block in your workflow YAML
  3. Remove COPILOT_GITHUB_TOKEN or equivalent secret references from your workflow
  4. Trigger a test run to verify authentication passes
  5. Delete the old PAT from your secrets store — do not leave it sitting dormant

The full migration walkthrough is in the official GitHub documentation.

One Limitation Worth Knowing

GITHUB_TOKEN is scoped to the current repository. If your Copilot CLI workflow needs to read or write to other private repos in the same organization, it still cannot do that with GITHUB_TOKEN alone. Cross-repo access still requires a PAT or GitHub App token stored as a secret — intentional design, not a gap. For most single-repo workflows and standard PR review automation, this is a non-issue. There is also a billing shift: AI credits consumed by Copilot CLI in Actions are now billed directly to the organization, not to an individual’s seat. User-level spending limits do not apply. GitHub provides a session_limit parameter to cap AI credit consumption per run.

The Bigger Picture

This change is one piece of GitHub’s 2026 security roadmap for GitHub Actions, which targets supply-chain risk systematically. Workflow dependency locking — pinning action dependencies to commit SHAs in a dependencies: section — is entering technical preview. A native egress firewall operating at Layer 7, outside the runner VM, is expanding access. Scoped secrets, which bind credentials to specific execution contexts rather than repo membership, are on the way.

GitHub is removing long-lived credentials from the Actions execution environment one surface at a time. The Copilot CLI PAT change is the most immediate one to act on — the feature is live now, no waitlist, no preview flag. Update your workflows, delete the old PATs, and stop carrying ghost credentials in production CI.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *