Skip to content

Isolate agentic workflow authentication with a Copilot token pool#7652

Open
kotlarmilos wants to merge 3 commits into
mainfrom
copilot-pat-pool
Open

Isolate agentic workflow authentication with a Copilot token pool#7652
kotlarmilos wants to merge 3 commits into
mainfrom
copilot-pat-pool

Conversation

@kotlarmilos

Copy link
Copy Markdown
Member

Moves the agentic workflows off the single shared Copilot token onto a pooled, isolated authentication setup: each run selects a token from a COPILOT_PAT_0..9 pool within a dedicated copilot-pat-pool environment, with a shared import plus a daily pool-validation workflow. Requires the copilot-pat-pool environment and pool secrets to be configured. Also bumps the workflow tooling and regenerates all compiled lock files.

Moves the agentic workflows off the single shared Copilot token onto a
pooled, isolated authentication setup: each run selects a token from a
COPILOT_PAT_0..9 pool within a dedicated copilot-pat-pool environment,
with a shared import plus a daily pool-validation workflow. Requires the
copilot-pat-pool environment and pool secrets to be configured. Also
bumps the workflow tooling and regenerates all compiled lock files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 2, 2026 13:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s agentic workflows to stop relying on a single shared Copilot token by introducing a pooled PAT selection mechanism (COPILOT_PAT_0..9) scoped to a dedicated copilot-pat-pool environment, along with a scheduled workflow to validate the pool and a tooling/lockfile refresh.

Changes:

  • Add a shared pat_pool import (shared/pat_pool.md) + onboarding/ops documentation (shared/pat_pool.README.md) for selecting a PAT number from the pool.
  • Update multiple agentic workflow definitions to run in the copilot-pat-pool environment and to set COPILOT_GITHUB_TOKEN from the selected pool entry.
  • Add a daily PAT pool validation workflow and bump/regenerate gh-aw tooling outputs (compiled lock files, maintenance workflow, actions lock).
Show a summary per file
File Description
.github/workflows/validate-pat-pool.yml New scheduled/manual workflow to validate each PAT slot and summarize pool health.
.github/workflows/shared/pat_pool.README.md Documents pool setup, security rationale, and how consuming workflows should import/use the pool.
.github/workflows/shared/pat_pool.md Shared import defining the pat_pool job that selects a pool entry and outputs pat_number.
.github/workflows/repo-health-investigate.md Switches repo health investigator to use pooled PAT selection in isolated environment.
.github/workflows/repo-health-groom.md Switches dashboard groomer to use pooled PAT selection in isolated environment.
.github/workflows/repo-health-check.md Switches orchestrator to use pooled PAT selection in isolated environment.
.github/workflows/issue-triage.agent.md Switches issue triage agent workflow to use pooled PAT selection in isolated environment.
.github/workflows/issue-triage.agent.lock.yml Regenerated compiled workflow lock output for the updated issue triage workflow/tooling.
.github/workflows/ci-scan.agent.md Switches CI scan agent workflow to use pooled PAT selection in isolated environment.
.github/workflows/ci-scan-feedback.agent.md Switches CI scan feedback agent workflow to use pooled PAT selection in isolated environment.
.github/workflows/agentics-maintenance.yml New/updated generated maintenance workflow aligned with updated gh-aw tooling.
.github/aw/actions-lock.json Updates pinned action references to match the refreshed tooling/action versions.

Copilot's findings

  • Files reviewed: 11/17 changed files
  • Comments generated: 7

Comment thread .github/workflows/repo-health-check.md
Comment thread .github/workflows/repo-health-groom.md
Comment thread .github/workflows/repo-health-investigate.md
Comment thread .github/workflows/issue-triage.agent.md
Comment thread .github/workflows/ci-scan.agent.md
Comment thread .github/workflows/ci-scan-feedback.agent.md
Comment thread .github/workflows/shared/pat_pool.README.md
kotlarmilos and others added 2 commits July 3, 2026 11:57
Previously the pat_pool job emitted a warning and exited 0 without setting
pat_number when no COPILOT_PAT_# secret had a value. Each consumer's case()
expression then fell through to the literal 'NO COPILOT PAT AVAILABLE'
placeholder, which was supplied as COPILOT_GITHUB_TOKEN and only surfaced as a
confusing downstream Copilot authentication failure.

Fail fast in the pat_pool job (non-zero exit with an actionable ::error::) so
the dependent agent jobs are skipped instead of running with an unusable token,
making the case() placeholder default unreachable. Update the shared README to
document the fail-fast behavior and recompile the affected lock files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants