fix(ci): use GITHUB_TOKEN installation auth + model fallback for Copilot workflows#9394
Merged
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…Copilot workflows Switch every direct Copilot CLI workflow from COPILOT_GITHUB_TOKEN (the per-user PAT path, which only authenticates for PR authors who personally hold a Copilot seat) to the plain GITHUB_TOKEN installation path with --yolo. This authenticates as the installation and is metered to the org, so it works for every author, fork, and bot with nothing to rotate. Add an ordered model-fallback loop (claude-opus-4.8 -> claude-opus-4.6 -> gpt-5-mini): the first model that responds wins, so an unavailable primary no longer fails the run. Delete the redundant copilot-pr-validation.yml, whose validate-pr job collided with pr-ai-validation.yml and whose deterministic fallback hard-failed PRs. pr-ai-validation.yml (native Copilot primary) is kept. Rename the smoke-test job test -> copilot-cli-smoke and make it workflow_dispatch-only so it no longer collides with the unit-test check or runs on every PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
🤖 AI PR Validation ReportPR Review ResultsThank you for your submission! Here's detailed feedback on your PR title and body compliance:✅ PR Title
✅ Commit Type
✅ Risk Level
✅ What & Why
✅ Impact of Change
✅ Test Plan
|
| Section | Status | Recommendation |
|---|---|---|
| Title | ✅ | No change needed |
| Commit Type | ✅ | No change needed |
| Risk Level | ✅ | Medium is correct and matches label |
| What & Why | ✅ | No change needed |
| Impact of Change | ✅ | No change needed |
| Test Plan | ✅ | Manual testing justified for CI-only change |
| Contributors | Optionally credit collaborators | |
| Screenshots/Videos | ✅ | N/A — no UI changes |
✅ All required checks pass. This PR is compliant with the team template and is cleared to merge. Great, thorough write-up.
Powered by: Copilot CLI (claude-opus-4.8) | Last updated: Tue, 14 Jul 2026 15:01:56 GMT
Contributor
📊 Coverage CheckNo source files changed in this PR. |
The dispatch-only smoke workflow existed only to verify Copilot CLI auth, org billing policy, and model availability in Actions. That verification is complete; the workflow has no ongoing gating purpose, so remove it. This also eliminates the original 'test' check-name collision at the source (rather than renaming/neutralizing it). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Copilot CLI GitHub Actions workflows to use installation authentication (via GITHUB_TOKEN, avoiding the personal-token COPILOT_GITHUB_TOKEN path) and adds an ordered model fallback chain to reduce CI flakiness when a preferred model is unavailable. This is CI/automation-only and primarily affects reliability and billing/auth behavior of Copilot-powered workflows.
Changes:
- Switched Copilot CLI invocations in several workflows from
COPILOT_GITHUB_TOKEN=... copilot ...tocopilot --yolo ...withGITHUB_TOKENinstallation auth. - Added a space-separated, ordered model fallback loop (defaulting to
claude-opus-4.8 → claude-opus-4.6 → gpt-5-mini). - Removed the redundant
copilot-pr-validation.ymlworkflow and adjusted the Copilot CLI smoke workflow to beworkflow_dispatch-only with a non-colliding job name.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/pr-ai-validation.yml |
Switches PR validator Copilot CLI call to installation auth + model fallback while preserving Logic App fallback path. |
.github/workflows/copilot-test-cli.yml |
Makes CLI smoke test dispatch-only, adds model fallback input, renames job to avoid check-name collisions. |
.github/workflows/copilot-pr-validation.yml |
Deleted redundant PR validation workflow to avoid duplication/collisions. |
.github/workflows/copilot-investigate.yml |
Switches investigation workflow to installation auth + model fallback. |
.github/workflows/copilot-flake-review.yml |
Switches flake-fix workflow to installation auth + model fallback. |
.github/workflows/copilot-design-pass.yml |
Switches design-pass workflow to installation auth + model fallback. |
Prevents the 'investigated' label from being applied when no investigation comment was posted because every fallback model failed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ccastrotrejo
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Type
Risk Level
What & Why
The Copilot-powered CI workflows added in #9385 fail on every PR whose author
does not personally hold a GitHub Copilot seat (e.g. #9393). Two checks —
Test Copilot CLIandCopilot: PR Validation— went red on unrelated PRs.Root cause. Every workflow invoked the CLI as
COPILOT_GITHUB_TOKEN="$GITHUB_TOKEN" copilot .... SettingCOPILOT_GITHUB_TOKENselects the CLI's personal-token auth path, which authenticates as the
triggering actor and draws AI credits from that user's Copilot seat. So it
only worked for PR authors who happen to have a seat, and failed for everyone
else, for forks, and for bots. GitHub's documented robust path is the plain
GITHUB_TOKENinstallation auth: it authenticates as the installation andis metered directly to the organization, independent of the author — with a
short-lived token and nothing to rotate.
This PR switches every direct-CLI Copilot workflow to the installation path
(
GITHUB_TOKENenv +--yolo, noCOPILOT_GITHUB_TOKEN), adds an orderedmodel-fallback loop so an unavailable model no longer fails a run, and removes
two now-unneeded workflows: a redundant validator that collided with the
existing one and hard-failed PRs, and a dispatch-only smoke test that
collided with the unit-test check.
What changed
pr-ai-validation.ymlcopilot-pr-validation.ymlvalidate-prjob collided withpr-ai-validation.yml, and its deterministic fallback hard-failed PR bodies.copilot-test-cli.ymlworkflow_dispatchdiagnostic that also collided with the unit-testtestcheck onpull_request. Used to verify auth/model availability during this fix, then removed — no ongoing gating purpose.copilot-investigate.ymlcopilot-design-pass.ymlcopilot-flake-review.ymlAuth flow (before → after)
Model-fallback chain
claude-opus-4.8→claude-opus-4.6→gpt-5-mini. The first model thatreturns a successful response wins; an unavailable model logs a warning and the
loop advances. Chain is overridable per-workflow via the
COPILOT_MODELSenv.Impact of Change
get Copilot validation instead of a spurious red check. A Copilot/model hiccup
no longer hard-blocks a PR. The
Test Copilot CLIcheck no longer runs onevery PR (dispatch-only) and no longer collides with the unit-test
testcheck.org (installation billing) rather than an individual author's seat.
Test Plan
Verified live in Actions on
fix/copilot-cli-actions-authvia theTest Copilot CLIsmoke workflow:copilot --yolowith onlyGITHUB_TOKEN(no
COPILOT_GITHUB_TOKEN) returnedCOPILOT_CLI_WORKING, confirming the orgpolicy "Allow use of Copilot CLI billed to the organization" is enabled and the
path is author-independent.
(
definitely-not-a-real-model) logged a warning and the loop fell through toclaude-opus-4.8, which succeeded.claude-opus-4.8,claude-opus-4.6,claude-sonnet-4.5, andgpt-5-miniare available to the CLI in this org;gpt-5,gpt-5.x, and*-codexids are not, so the chain usesgpt-5-minias the GPT fallback.