Can I use Copilot CLI in GitHub-hosted runners?

Yes, Copilot CLI works with GitHub-hosted runners on Ubuntu, macOS, and Windows. You need to authenticate using a Personal Access Token with Copilot Requests permission stored as a repository secret. The token is passed via the COPILOT_GITHUB_TOKEN or GH_TOKEN environment variable.

Does using Copilot CLI in CI/CD consume premium requests?

It depends on the model. Models like GPT-5 mini and GPT-4.1 are included with your Copilot subscription and do not consume premium requests. However, more capable models may use premium quota. Use the --model flag to select cost-effective models for automated tasks.

Can Copilot CLI modify files and create commits in a workflow?

Yes, Copilot CLI can modify files when run with appropriate permissions. Use the --allow-tool flag to permit specific operations and --yes to skip confirmations in non-interactive mode. However, you should carefully scope permissions to minimize security risks.

What is the difference between Copilot CLI and the Copilot coding agent in GitHub Actions?

Copilot CLI runs directly in your workflow job and executes immediately. The Copilot coding agent (invoked via the web UI or /delegate command) runs asynchronously on GitHub's infrastructure and creates pull requests. For CI/CD automation, Copilot CLI provides synchronous execution within your workflow.

How to Use Copilot CLI with GitHub Actions

Integrating GitHub Copilot CLI into your CI/CD pipelines brings AI-powered code analysis directly into your automated workflows. This guide covers authentication, workflow configuration, practical use cases, and security best practices for running Copilot CLI in GitHub Actions.

Overview

GitHub Copilot CLI can enhance your CI/CD pipelines in several ways:

Code Analysis: Automatically review changes for security issues, logic errors, or style violations
Build Debugging: Analyze build failures and suggest fixes
Test Generation: Generate test cases for new code
Documentation: Auto-generate changelogs or release notes
Workflow Assistance: Help debug and optimize GitHub Actions workflows themselves

Prerequisites

Before configuring Copilot CLI in GitHub Actions, ensure you have:

GitHub Copilot subscription (Individual, Business, or Enterprise)
Repository write access to add secrets and workflows
Organization approval (for Business/Enterprise, verify CLI access is enabled)

Authentication Setup

Copilot CLI in GitHub Actions requires a Personal Access Token (PAT) with the Copilot Requests permission. The built-in GITHUB_TOKEN does not include Copilot access.

Step 1: Create a Fine-Grained PAT

Navigate to github.com/settings/personal-access-tokens/new
Configure the token:
- Token name: copilot-cli-actions
- Expiration: Set based on your security policy (90 days recommended)
- Repository access: Select repositories where you will use Copilot CLI
Under Permissions, click "Add permissions" and select:
- Copilot Requests: Read (required)
- Contents: Read (if analyzing repository code)
Click Generate token and copy the value

Step 2: Add the Token as a Repository Secret

Go to your repository's Settings > Secrets and variables > Actions
Click New repository secret
Configure:
- Name: COPILOT_GITHUB_TOKEN
- Secret: Paste your PAT
Click Add secret

Basic Workflow Configuration

Here is a minimal workflow that installs and runs Copilot CLI:

name: Copilot CLI Analysis

on:
  pull_request:
    branches: [main]

jobs:
  analyze:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for better analysis

      - name: Install Copilot CLI
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Run Copilot Analysis
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          copilot --prompt "Review the changes in this PR for potential issues" \
            --model gpt-4.1 \
            --yes

Environment Variable Precedence

Copilot CLI checks for authentication tokens in this order:

COPILOT_GITHUB_TOKEN (highest priority, recommended for CI/CD)
GH_TOKEN
GITHUB_TOKEN (lowest priority)

Using COPILOT_GITHUB_TOKEN prevents conflicts with other GitHub tooling that may use GH_TOKEN or GITHUB_TOKEN for different purposes.

Platform-Specific Configurations

Ubuntu (Recommended)

Ubuntu runners provide the most straightforward setup:

jobs:
  copilot-ubuntu:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Copilot CLI
        run: curl -fsSL https://gh.io/copilot-install | bash

      - name: Add to PATH
        run: echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Run Analysis
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: copilot --prompt "Analyze src/ for security issues" --yes

macOS

macOS runners support Copilot CLI with Homebrew or the install script:

jobs:
  copilot-macos:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Copilot CLI via Homebrew
        run: brew install copilot-cli

      - name: Run Analysis
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: copilot --prompt "Review this codebase" --yes

Windows

Windows requires either PowerShell 6+ or WSL. For GitHub Actions, use the npm installation method:

jobs:
  copilot-windows:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install Copilot CLI
        run: npm install -g @github/copilot

      - name: Run Analysis
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        shell: pwsh
        run: copilot --prompt "Analyze this project" --yes

Non-Interactive Mode Flags

In CI/CD environments, you must run Copilot CLI non-interactively. Key flags:

Flag	Purpose
`--prompt "..."`	The instruction to execute
`--yes`	Auto-confirm all prompts
`--model <model>`	Specify the AI model
`--allow-tool <pattern>`	Permit specific tools (glob patterns)
`--deny-tool <pattern>`	Block specific tools
`--allow-all-tools`	Permit all tools (use cautiously)
`--output-format json`	Machine-readable output

Example: Restrictive Tool Permissions

- name: Run Copilot with restricted tools
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  run: |
    copilot \
      --prompt "Review code for SQL injection vulnerabilities" \
      --allow-tool "read_file" \
      --deny-tool "write_file" \
      --deny-tool "run_terminal_cmd" \
      --model gpt-4.1 \
      --yes

Practical Use Cases

1. Automated Code Review on Pull Requests

Create intelligent code reviews that surface genuine issues:

name: Copilot Code Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Copilot CLI
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Get changed files
        id: changed
        run: |
          FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | tr '\n' ' ')
          echo "files=$FILES" >> $GITHUB_OUTPUT

      - name: Run Copilot Review
        id: review
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          REVIEW=$(copilot --prompt "Review these changed files for bugs, security issues, and logic errors. Be specific about line numbers: ${{ steps.changed.outputs.files }}" --model gpt-4.1 --yes --output-format json)
          echo "review<<EOF" >> $GITHUB_OUTPUT
          echo "$REVIEW" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

      - name: Post review comment
        uses: actions/github-script@v7
        with:
          script: |
            const review = `${{ steps.review.outputs.review }}`;
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## Copilot Code Review\n\n${review}`
            });

2. Build Failure Analysis

Automatically analyze and suggest fixes for build failures:

name: Build with Copilot Debug

on: push

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci

      - name: Build
        id: build
        continue-on-error: true
        run: npm run build 2>&1 | tee build.log

      - name: Analyze build failure
        if: steps.build.outcome == 'failure'
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          export PATH="$HOME/.local/bin:$PATH"

          copilot --prompt "Analyze this build failure and suggest specific fixes: $(cat build.log | tail -100)" \
            --model gpt-4.1 \
            --yes

      - name: Fail if build failed
        if: steps.build.outcome == 'failure'
        run: exit 1

3. Security Scanning with AI Analysis

Combine traditional security tools with Copilot analysis:

name: Security Analysis

on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday
  workflow_dispatch:

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run npm audit
        id: audit
        continue-on-error: true
        run: npm audit --json > audit.json 2>&1 || true

      - name: Install Copilot CLI
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Analyze security findings
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          copilot --prompt "Analyze these npm audit findings. Prioritize by severity and exploitability. Suggest remediation steps: $(cat audit.json)" \
            --model gpt-4.1 \
            --yes

4. Test Generation for New Code

Generate tests for newly added functions:

name: Generate Tests

on:
  pull_request:
    paths:
      - 'src/**/*.ts'
      - '!src/**/*.test.ts'

jobs:
  generate-tests:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          fetch-depth: 0

      - name: Install Copilot CLI
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Find new functions without tests
        id: find
        run: |
          # Find new TypeScript files
          NEW_FILES=$(git diff --name-only --diff-filter=A origin/${{ github.base_ref }}...HEAD | grep '\.ts$' | grep -v '\.test\.ts$' || true)
          echo "files=$NEW_FILES" >> $GITHUB_OUTPUT

      - name: Generate test suggestions
        if: steps.find.outputs.files != ''
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          for file in ${{ steps.find.outputs.files }}; do
            echo "Generating tests for: $file"
            copilot --prompt "Generate comprehensive unit tests for $file using Vitest. Include edge cases and error handling tests." \
              --model gpt-4.1 \
              --allow-tool "read_file" \
              --yes
          done

5. Documentation Generation

Auto-generate release notes from commits:

name: Generate Release Notes

on:
  release:
    types: [created]

jobs:
  release-notes:
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get commits since last release
        id: commits
        run: |
          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
          if [ -n "$PREV_TAG" ]; then
            COMMITS=$(git log $PREV_TAG..HEAD --pretty=format:"%h %s" | head -50)
          else
            COMMITS=$(git log --pretty=format:"%h %s" | head -50)
          fi
          echo "commits<<EOF" >> $GITHUB_OUTPUT
          echo "$COMMITS" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

      - name: Install Copilot CLI
        run: |
          curl -fsSL https://gh.io/copilot-install | bash
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Generate release notes
        id: notes
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          NOTES=$(copilot --prompt "Generate professional release notes from these commits. Group by category (Features, Bug Fixes, Improvements, Breaking Changes). Use markdown formatting: ${{ steps.commits.outputs.commits }}" --model gpt-4.1 --yes)
          echo "notes<<EOF" >> $GITHUB_OUTPUT
          echo "$NOTES" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

      - name: Update release body
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: ${{ github.event.release.id }},
              body: `${{ steps.notes.outputs.notes }}`
            });

Security Best Practices

1. Use Dedicated Tokens

Create a PAT specifically for CI/CD with minimal permissions:

Only Copilot Requests: Read permission
Limited repository scope
Short expiration (90 days or less)
Regular rotation schedule

2. Restrict Tool Access

Limit what Copilot CLI can do in your pipeline:

# Good: Explicit allow list
copilot --allow-tool "read_file" --deny-tool "run_terminal_cmd" --prompt "..."

# Avoid in CI/CD: Too permissive
copilot --allow-all-tools --prompt "..."

3. Never Log Tokens

Ensure tokens are masked in logs:

- name: Run Copilot
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  run: |
    # The secret is automatically masked in logs
    copilot --prompt "analyze code" --yes

4. Use Environment Protection

For sensitive workflows, use GitHub environment protection rules:

jobs:
  analyze:
    runs-on: ubuntu-latest
    environment: production  # Requires approval
    steps:
      # ...

5. Audit Token Usage

Regularly review:

PAT usage in your GitHub settings
Workflow run logs for unexpected behavior
Repository access patterns

Self-Hosted Runners

For self-hosted runners, you have additional configuration options:

Pre-installing Copilot CLI

Add Copilot CLI to your runner image:

# In your runner Dockerfile
RUN curl -fsSL https://gh.io/copilot-install | bash
ENV PATH="${PATH}:/root/.local/bin"

Network Configuration

If your runners use a proxy:

- name: Run Copilot with proxy
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
    HTTPS_PROXY: ${{ secrets.PROXY_URL }}
  run: copilot --prompt "analyze code" --yes

GitHub Enterprise Server

For GHES environments:

- name: Run Copilot on GHES
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
    GH_HOST: github.mycompany.com
  run: copilot --prompt "analyze code" --yes

Troubleshooting

Authentication Failures

If you see authentication errors:

Verify the PAT has Copilot Requests permission
Check the secret name matches exactly (COPILOT_GITHUB_TOKEN)
Ensure your Copilot subscription is active
For Enterprise, verify CLI access is enabled in organization settings

Command Not Found

If Copilot CLI is not found after installation:

- name: Install and add to PATH
  run: |
    curl -fsSL https://gh.io/copilot-install | bash
    # Explicitly add to PATH for subsequent steps
    echo "$HOME/.local/bin" >> $GITHUB_PATH

# Or in the same step:
- name: Run immediately after install
  run: |
    curl -fsSL https://gh.io/copilot-install | bash
    export PATH="$HOME/.local/bin:$PATH"
    copilot --prompt "hello" --yes

Rate Limiting

If you encounter rate limits:

Use cost-effective models (gpt-4.1, gpt-5-mini)
Cache Copilot CLI installation
Reduce frequency of workflow runs
Batch multiple analyses into single prompts

Timeout Issues

For long-running analyses:

- name: Run Copilot with timeout
  timeout-minutes: 10
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  run: copilot --prompt "comprehensive analysis" --yes

Caching the Installation

Speed up workflows by caching Copilot CLI:

- name: Cache Copilot CLI
  uses: actions/cache@v4
  id: copilot-cache
  with:
    path: ~/.local/bin/copilot
    key: copilot-cli-${{ runner.os }}-v1

- name: Install Copilot CLI
  if: steps.copilot-cache.outputs.cache-hit != 'true'
  run: curl -fsSL https://gh.io/copilot-install | bash

Next Steps

Review how to install Copilot CLI for local development
Learn about Copilot CLI agents for specialized tasks
Explore Copilot slash commands for interactive use
Read about Copilot Enterprise setup for organization-wide deployment