Migrate Copilot PAT pool to shared workflow import#127946
Merged
jeffhandley merged 5 commits intodotnet:mainfrom May 8, 2026
Merged
Migrate Copilot PAT pool to shared workflow import#127946jeffhandley merged 5 commits intodotnet:mainfrom
jeffhandley merged 5 commits intodotnet:mainfrom
Conversation
Replaces the per-workflow inline `select-copilot-pat` action with the shared `pat_pool.md` now usable with in gh-aw v0.71.5. The new pattern fixes a bug where `COPILOT_PAT_0` was always selected because activation `needs:` did not incorporate jobs referenced in `engine.env` expressions (github/gh-aw#30232, fixed in v0.71.5). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds a daily workflow that validates each Copilot PAT in the pool by issuing a low-effort Copilot CLI request, surfacing empty/invalid/unknown PATs in the GitHub Actions step summary, and failing the run when any PAT is invalid or unverified. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s GitHub Agentic Workflows to select Copilot authentication from a shared “PAT pool” import (instead of per-workflow inline steps / a composite action), and adds a scheduled workflow to validate the health of the PAT pool.
Changes:
- Added a shared workflow import (
shared/pat_pool.md) + documentation, and migrated agentic workflows to useneeds.pat_pool.outputs.pat_numberforCOPILOT_GITHUB_TOKENselection. - Regenerated agentic workflow lock files using gh-aw v0.71.5 and removed the old
select-copilot-patcomposite action. - Added a scheduled
validate-pat-pool.ymlworkflow to verify eachCOPILOT_PAT_#secret can successfully run a minimal Copilot CLI request.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-pat-pool.yml | New scheduled/manual workflow to probe each PAT and fail loudly on invalid/unknown/empty pools. |
| .github/workflows/shared/pat_pool.md | New shared import defining the pat_pool job that selects a random PAT slot and emits the chosen index. |
| .github/workflows/shared/pat_pool.README.md | Usage + security guidance for integrating the PAT pool import into consuming workflows. |
| .github/workflows/copilot-echo.md | Migrated to import shared/pat_pool.md and select token via needs.pat_pool.outputs.pat_number. |
| .github/workflows/code-review.md | Migrated to import shared/pat_pool.md and select token via needs.pat_pool.outputs.pat_number. |
| .github/workflows/ci-failure-scan.md | Migrated to import shared/pat_pool.md and select token via needs.pat_pool.outputs.pat_number. |
| .github/workflows/breaking-change-doc.md | Migrated to import shared/pat_pool.md and select token via needs.pat_pool.outputs.pat_number. |
| .github/workflows/ci-failure-scan.lock.yml | Regenerated compiled workflow output (now includes PAT pool import + updated gh-aw/AWF tooling). |
| .github/workflows/breaking-change-doc.lock.yml | Regenerated compiled workflow output (now includes PAT pool import + updated gh-aw/AWF tooling). |
| .github/workflows/code-review.lock.yml | Regenerated compiled workflow output (now includes PAT pool import + updated gh-aw/AWF tooling). |
| .github/workflows/copilot-echo.lock.yml | Regenerated compiled workflow output (now includes PAT pool import + updated gh-aw/AWF tooling). |
| .github/mcp.json | Adds MCP server configuration to run gh aw mcp-server. |
| .github/aw/actions-lock.json | Updates the pinned action SHAs list for regenerated workflows. |
| .github/agents/agentic-workflows.agent.md | Updates repo guidance to reflect the new PAT pool import pattern and gh-aw version. |
| .github/actions/select-copilot-pat/README.md | Removed (obsolete after migrating to shared import). |
| .github/actions/select-copilot-pat/action.yml | Removed (obsolete after migrating to shared import). |
ericstj
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the per-workflow inline
select-copilot-pataction with the sharedpat_pool.mdnow usable with in gh-aw v0.71.5. The new pattern fixes a bug whereCOPILOT_PAT_0was always selected because activationneeds:did not incorporate jobs referenced inengine.envexpressions (github/gh-aw#30232, fixed in v0.71.5).Also adds a workflow that monitors the PAT pool health.