For background on authentication options and how billing works when running Copilot 命令行界面(CLI) in GitHub Actions, see About using Copilot CLI in GitHub Actions.
Enabling the policy
For workflows in your organization to use Copilot 命令行界面(CLI) with GITHUB_TOKEN, the policy must be enabled. This policy is enabled by default for organizations with Copilot 命令行界面(CLI) turned on, but you can confirm or change this setting in your organization's policy settings.
- Navigate to the policy settings for your organization. See 管理组织中GitHub Copilot的策略和功能.
- Under "Copilot 命令行界面(CLI)", confirm that Allow use of Copilot 命令行界面(CLI) billed to the organization is selected.
Recommended approach: GitHub Agentic Workflows
For most automation use cases, we recommend using GitHub Agentic Workflows rather than invoking copilot directly in workflow steps. Agentic workflows use GITHUB_TOKEN authentication by default and include additional guardrails suited for automated environments.
For setup instructions, see Quick Start in the GitHub Agentic Workflows documentation. Your workflow must also grant the copilot-requests: write permission. See Permissions in the GitHub Agentic Workflows documentation.
Using Copilot 命令行界面(CLI) directly in a workflow
If you need to invoke Copilot 命令行界面(CLI) directly in a workflow step, install the CLI with npm.
警告
Invoking Copilot 命令行界面(CLI) directly in workflow steps gives it broad access to your workflow environment. Review your workflow triggers and permissions carefully before using this approach. Workflows triggered by pull requests from forks are particularly at risk.
Example workflow
name: Copilot CLI example
on: [push]
permissions:
contents: read
copilot-requests: write
jobs:
copilot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Copilot CLI
run: npm install -g @github/copilot
- name: Run Copilot
run: copilot --yolo -p "Summarize the changes in this commit"
env:
GITHUB_TOKEN: $
Key details about this example:
- The
--yoloflag suppresses interactive prompts, which is required for non-interactive environments like GitHub Actions. - The
copilot-requests: writepermission is required for the workflow to make Copilot requests. - The
GITHUB_TOKENprovided by GitHub Actions handles authentication automatically, no additional secrets are needed.
注意
You must be on a recent version of Copilot 命令行界面(CLI) to use GITHUB_TOKEN authentication. Update with copilot update, or reinstall the latest version with npm install -g @github/copilot.