Rotate Copilot tokens for the gh-aw agentic workflows#13525
Open
vishesh92 wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces Copilot token rotation for the repository’s scheduled GitHub Agentic Workflows so runs can spread load across multiple volunteer fine-grained PATs instead of consuming a single person’s Copilot quota.
Changes:
- Add a
pick_copilot_tokenjob to the two agentic workflow sources to select a “live” token alias (with fallbacks) based on day-of-year rotation. - Update the compiled
*.lock.ymlworkflows so the agent step and log-redaction step use the rotated token secret (falling back to the base secret). - Add supporting maintenance tooling/docs: a manual token health-check workflow, a post-compile patch script, and contributor documentation for adding/removing tokens.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/daily-repo-status.md | Adds token-pick job in the gh-aw source workflow. |
| .github/workflows/daily-repo-status.lock.yml | Wires agent execution + redaction to the rotated secret and adds dependency on token-pick job. |
| .github/workflows/daily-issue-triage.md | Adds token-pick job in the gh-aw source workflow (staggered rotation slot). |
| .github/workflows/daily-issue-triage.lock.yml | Wires agent execution + redaction to the rotated secret and adds dependency on token-pick job. |
| .github/workflows/copilot-token-health.yml | New manual workflow to report token liveness per alias. |
| .github/scripts/post-compile.sh | New post-processing script to re-apply wiring after gh aw compile. |
| .github/COPILOT_TOKENS.md | New documentation for contributing and maintaining the token pool. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13525 +/- ##
=========================================
Coverage 18.93% 18.94%
- Complexity 18474 18475 +1
=========================================
Files 6221 6221
Lines 560039 560039
Branches 68285 68285
=========================================
+ Hits 106066 106077 +11
+ Misses 442346 442334 -12
- Partials 11627 11628 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
The scheduled agentic workflows ran on a single COPILOT_GITHUB_TOKEN, which burns through one person's Copilot quota. Volunteers can now add their own fine-grained PATs as COPILOT_GITHUB_TOKEN_<alias> secrets and register the alias in the GH_AW_COPILOT_TOKEN_NAMES repo variable. Runs pick a token by day of year, skip dead ones, and fall back to the base secret when nothing in the pool is live. The two workflows start half the pool apart so they don't drain the same volunteer on the same day. Strict mode forbids reading secrets in the agent job, so each workflow defines a pick_copilot_token job that outputs only the chosen alias; the agent job resolves the secret itself. gh aw compile doesn't know about this wiring, so .github/scripts/post-compile.sh re-applies it to the lock files after every compile, including pointing the log redaction step at the rotated token. A manual copilot-token-health workflow reports which pool tokens are still live. See .github/COPILOT_TOKENS.md for how to contribute a token. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2215290 to
c8eba3e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The scheduled agentic workflows ran on a single COPILOT_GITHUB_TOKEN, which burns through one person's Copilot quota. Volunteers can now add their own fine-grained PATs as COPILOT_GITHUB_TOKEN_ secrets and register the alias in the GH_AW_COPILOT_TOKEN_NAMES repo variable. Runs pick a token by day of year, skip dead ones, and fall back to the base secret when nothing in the pool is live. The two workflows start half the pool apart so they don't drain the same volunteer on the same day.
Strict mode forbids reading secrets in the agent job, so each workflow defines a pick_copilot_token job that outputs only the chosen alias; the agent job resolves the secret itself. gh aw compile doesn't know about this wiring, so .github/scripts/post-compile.sh re-applies it to the lock files after every compile, including pointing the log redaction step at the rotated token. A manual copilot-token-health workflow reports which pool tokens are still live.
See .github/COPILOT_TOKENS.md for how to contribute a token.
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
How did you try to break this feature and the system with this change?