Skip to content

Rotate Copilot tokens for the gh-aw agentic workflows#13525

Open
vishesh92 wants to merge 1 commit into
apache:mainfrom
shapeblue:gh-aw/copilot-token-round-robin
Open

Rotate Copilot tokens for the gh-aw agentic workflows#13525
vishesh92 wants to merge 1 commit into
apache:mainfrom
shapeblue:gh-aw/copilot-token-round-robin

Conversation

@vishesh92

Copy link
Copy Markdown
Member

Description

The scheduled agentic workflows ran on a single COPILOT_GITHUB_TOKEN, which burns through one person's Copilot quota. Volunteers can now add their own fine-grained PATs as COPILOT_GITHUB_TOKEN_ secrets and register the alias in the GH_AW_COPILOT_TOKEN_NAMES repo variable. Runs pick a token by day of year, skip dead ones, and fall back to the base secret when nothing in the pool is live. The two workflows start half the pool apart so they don't drain the same volunteer on the same day.

Strict mode forbids reading secrets in the agent job, so each workflow defines a pick_copilot_token job that outputs only the chosen alias; the agent job resolves the secret itself. gh aw compile doesn't know about this wiring, so .github/scripts/post-compile.sh re-applies it to the lock files after every compile, including pointing the log redaction step at the rotated token. A manual copilot-token-health workflow reports which pool tokens are still live.

See .github/COPILOT_TOKENS.md for how to contribute a token.

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

Copilot AI review requested due to automatic review settings July 2, 2026 06:57
@vishesh92 vishesh92 requested a review from DaanHoogland July 2, 2026 06:57
Comment thread .github/workflows/copilot-token-health.yml Dismissed
Comment thread .github/workflows/daily-issue-triage.lock.yml Dismissed
Comment thread .github/workflows/daily-issue-triage.lock.yml Dismissed
Comment thread .github/workflows/daily-issue-triage.lock.yml Dismissed
Comment thread .github/workflows/daily-repo-status.lock.yml Dismissed
Comment thread .github/workflows/daily-repo-status.lock.yml Dismissed
Comment thread .github/workflows/daily-repo-status.lock.yml Dismissed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces Copilot token rotation for the repository’s scheduled GitHub Agentic Workflows so runs can spread load across multiple volunteer fine-grained PATs instead of consuming a single person’s Copilot quota.

Changes:

  • Add a pick_copilot_token job to the two agentic workflow sources to select a “live” token alias (with fallbacks) based on day-of-year rotation.
  • Update the compiled *.lock.yml workflows so the agent step and log-redaction step use the rotated token secret (falling back to the base secret).
  • Add supporting maintenance tooling/docs: a manual token health-check workflow, a post-compile patch script, and contributor documentation for adding/removing tokens.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
.github/workflows/daily-repo-status.md Adds token-pick job in the gh-aw source workflow.
.github/workflows/daily-repo-status.lock.yml Wires agent execution + redaction to the rotated secret and adds dependency on token-pick job.
.github/workflows/daily-issue-triage.md Adds token-pick job in the gh-aw source workflow (staggered rotation slot).
.github/workflows/daily-issue-triage.lock.yml Wires agent execution + redaction to the rotated secret and adds dependency on token-pick job.
.github/workflows/copilot-token-health.yml New manual workflow to report token liveness per alias.
.github/scripts/post-compile.sh New post-processing script to re-apply wiring after gh aw compile.
.github/COPILOT_TOKENS.md New documentation for contributing and maintaining the token pool.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/daily-repo-status.md
Comment thread .github/workflows/daily-issue-triage.md
Comment thread .github/workflows/copilot-token-health.yml
Comment thread .github/scripts/post-compile.sh
Comment thread .github/workflows/daily-repo-status.lock.yml Outdated
Comment thread .github/workflows/daily-issue-triage.lock.yml Outdated
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.94%. Comparing base (5c4bc48) to head (c8eba3e).

Additional details and impacted files
@@            Coverage Diff            @@
##               main   #13525   +/-   ##
=========================================
  Coverage     18.93%   18.94%           
- Complexity    18474    18475    +1     
=========================================
  Files          6221     6221           
  Lines        560039   560039           
  Branches      68285    68285           
=========================================
+ Hits         106066   106077   +11     
+ Misses       442346   442334   -12     
- Partials      11627    11628    +1     
Flag Coverage Δ
uitests 3.50% <ø> (ø)
unittests 20.15% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

The scheduled agentic workflows ran on a single COPILOT_GITHUB_TOKEN,
which burns through one person's Copilot quota. Volunteers can now add
their own fine-grained PATs as COPILOT_GITHUB_TOKEN_<alias> secrets and
register the alias in the GH_AW_COPILOT_TOKEN_NAMES repo variable. Runs
pick a token by day of year, skip dead ones, and fall back to the base
secret when nothing in the pool is live. The two workflows start half
the pool apart so they don't drain the same volunteer on the same day.

Strict mode forbids reading secrets in the agent job, so each workflow
defines a pick_copilot_token job that outputs only the chosen alias;
the agent job resolves the secret itself. gh aw compile doesn't know
about this wiring, so .github/scripts/post-compile.sh re-applies it to
the lock files after every compile, including pointing the log
redaction step at the rotated token. A manual copilot-token-health
workflow reports which pool tokens are still live.

See .github/COPILOT_TOKENS.md for how to contribute a token.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vishesh92 vishesh92 force-pushed the gh-aw/copilot-token-round-robin branch from 2215290 to c8eba3e Compare July 2, 2026 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants