Isolate agentic workflow authentication with a Copilot token pool#7652
Open
kotlarmilos wants to merge 3 commits into
Open
Isolate agentic workflow authentication with a Copilot token pool#7652kotlarmilos wants to merge 3 commits into
kotlarmilos wants to merge 3 commits into
Conversation
Moves the agentic workflows off the single shared Copilot token onto a pooled, isolated authentication setup: each run selects a token from a COPILOT_PAT_0..9 pool within a dedicated copilot-pat-pool environment, with a shared import plus a daily pool-validation workflow. Requires the copilot-pat-pool environment and pool secrets to be configured. Also bumps the workflow tooling and regenerates all compiled lock files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s agentic workflows to stop relying on a single shared Copilot token by introducing a pooled PAT selection mechanism (COPILOT_PAT_0..9) scoped to a dedicated copilot-pat-pool environment, along with a scheduled workflow to validate the pool and a tooling/lockfile refresh.
Changes:
- Add a shared
pat_poolimport (shared/pat_pool.md) + onboarding/ops documentation (shared/pat_pool.README.md) for selecting a PAT number from the pool. - Update multiple agentic workflow definitions to run in the
copilot-pat-poolenvironment and to setCOPILOT_GITHUB_TOKENfrom the selected pool entry. - Add a daily PAT pool validation workflow and bump/regenerate gh-aw tooling outputs (compiled lock files, maintenance workflow, actions lock).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-pat-pool.yml | New scheduled/manual workflow to validate each PAT slot and summarize pool health. |
| .github/workflows/shared/pat_pool.README.md | Documents pool setup, security rationale, and how consuming workflows should import/use the pool. |
| .github/workflows/shared/pat_pool.md | Shared import defining the pat_pool job that selects a pool entry and outputs pat_number. |
| .github/workflows/repo-health-investigate.md | Switches repo health investigator to use pooled PAT selection in isolated environment. |
| .github/workflows/repo-health-groom.md | Switches dashboard groomer to use pooled PAT selection in isolated environment. |
| .github/workflows/repo-health-check.md | Switches orchestrator to use pooled PAT selection in isolated environment. |
| .github/workflows/issue-triage.agent.md | Switches issue triage agent workflow to use pooled PAT selection in isolated environment. |
| .github/workflows/issue-triage.agent.lock.yml | Regenerated compiled workflow lock output for the updated issue triage workflow/tooling. |
| .github/workflows/ci-scan.agent.md | Switches CI scan agent workflow to use pooled PAT selection in isolated environment. |
| .github/workflows/ci-scan-feedback.agent.md | Switches CI scan feedback agent workflow to use pooled PAT selection in isolated environment. |
| .github/workflows/agentics-maintenance.yml | New/updated generated maintenance workflow aligned with updated gh-aw tooling. |
| .github/aw/actions-lock.json | Updates pinned action references to match the refreshed tooling/action versions. |
Copilot's findings
- Files reviewed: 11/17 changed files
- Comments generated: 7
Previously the pat_pool job emitted a warning and exited 0 without setting pat_number when no COPILOT_PAT_# secret had a value. Each consumer's case() expression then fell through to the literal 'NO COPILOT PAT AVAILABLE' placeholder, which was supplied as COPILOT_GITHUB_TOKEN and only surfaced as a confusing downstream Copilot authentication failure. Fail fast in the pat_pool job (non-zero exit with an actionable ::error::) so the dependent agent jobs are skipped instead of running with an unusable token, making the case() placeholder default unreachable. Update the shared README to document the fail-fast behavior and recompile the affected lock files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Moves the agentic workflows off the single shared Copilot token onto a pooled, isolated authentication setup: each run selects a token from a
COPILOT_PAT_0..9pool within a dedicatedcopilot-pat-poolenvironment, with a shared import plus a daily pool-validation workflow. Requires thecopilot-pat-poolenvironment and pool secrets to be configured. Also bumps the workflow tooling and regenerates all compiled lock files.