Migrate Copilot PAT pool to shared workflow import#54235
Open
jeffhandley wants to merge 4 commits into
Open
Conversation
Replaces the per-workflow inline `select-copilot-pat` action with the shared `pat_pool.md` now usable with in gh-aw v0.71.5. The new pattern fixes a bug where `COPILOT_PAT_0` was always selected because activation `needs:` did not incorporate jobs referenced in `engine.env` expressions (github/gh-aw#30232, fixed in v0.71.5). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds a scheduled workflow that runs daily at ~2:17 AM UTC and validates each Copilot PAT in the pool by issuing a low-effort Copilot CLI request. Reports per-PAT status (valid / empty / invalid / unknown) in the job step summary, and fails the run when any PAT is invalid, the pool is empty, or transient errors prevent verification. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates Copilot PAT selection from a repo-local composite action to a shared Agentic Workflows import (shared/pat_pool.md), leveraging gh-aw v0.71.5 behavior to correctly wire needs: from engine.env references. It also adds a scheduled workflow to validate PAT pool health.
Changes:
- Added a reusable
pat_poolworkflow import + README for selecting a random PAT index (0–9) from repository secrets. - Updated an existing agentic workflow to import
pat_pooland use its output when overridingCOPILOT_GITHUB_TOKEN, regenerating the compiled.lock.yml. - Added a scheduled/manual workflow to validate each PAT in the pool via Copilot CLI, and added repo config files to support/lock workflow dependencies.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-pat-pool.yml | New scheduled/manual workflow that checks each COPILOT_PAT_# by making a lightweight Copilot CLI request and summarizes pool health. |
| .github/workflows/shared/pat_pool.README.md | Documentation for onboarding, PAT management, security model, and consumption pattern for the shared PAT pool import. |
| .github/workflows/shared/pat_pool.md | New gh-aw import defining a pat_pool job that selects an available PAT slot and outputs pat_number. |
| .github/workflows/add-tactics-template-on-comment.md | Switches from inline PAT selection to importing shared/pat_pool.md and using needs.pat_pool.outputs.pat_number in the token override. |
| .github/workflows/add-tactics-template-on-comment.lock.yml | Regenerated compiled workflow reflecting gh-aw v0.71.5 and the new pat_pool import/job graph. |
| .github/mcp.json | Adds an MCP server config for running the gh-aw MCP server via gh aw mcp-server. |
| .github/aw/actions-lock.json | Updates/pins additional action versions used by the regenerated workflow. |
| .github/actions/select-copilot-pat/README.md | Removes the old per-repo composite action documentation (superseded by shared import docs). |
| .github/actions/select-copilot-pat/action.yml | Removes the old composite action implementation (superseded by shared import). |
| .gitattributes | Marks *.lock.yml workflows as generated and sets merge=ours to reduce churn/conflicts. |
This was referenced May 8, 2026
marcpopMSFT
approved these changes
May 8, 2026
Member
Author
|
/ba-g unrelated errors |
2 similar comments
Member
|
/ba-g unrelated errors |
Member
Author
|
/ba-g unrelated errors |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the per-workflow inline
select-copilot-pataction with the sharedpat_pool.mdnow usable with in gh-aw v0.71.5. The new pattern fixes a bug whereCOPILOT_PAT_0was always selected because activationneeds:did not incorporate jobs referenced inengine.envexpressions (github/gh-aw#30232, fixed in v0.71.5).Also adds a workflow that monitors the PAT pool health.