Skip to content

[gh-aw] disable AI-credit guardrails (max-daily / max-ai)#11659

Merged
jonathanpeppers merged 5 commits into
dotnet:mainfrom
jonathanpeppers:jonathanpeppers/gh-aw-copilot-requests-permission
Jun 16, 2026
Merged

[gh-aw] disable AI-credit guardrails (max-daily / max-ai)#11659
jonathanpeppers merged 5 commits into
dotnet:mainfrom
jonathanpeppers:jonathanpeppers/gh-aw-copilot-requests-permission

Conversation

@jonathanpeppers

@jonathanpeppers jonathanpeppers commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

What

Disables the AI-credit guardrails for both agentic workflows. Two-line frontmatter delta per workflow:

max-daily-ai-credits: -1
max-ai-credits: -1

Applied to:

  • .github/workflows/android-reviewer.md
  • .github/workflows/nightly-fix-finder.md

gh aw compile then regenerates the *.lock.yml files, .github/aw/actions-lock.json, and .github/workflows/agentics-maintenance.yml (the latter two also pick up a routine gh-aw CLI bump from v0.79.6v0.79.8).

Mirrors dotnet/java-interop#1471 + #1473.

Verification

git diff origin/main...HEAD --stat:

.github/aw/actions-lock.json                  | 12 ++--
.github/workflows/agentics-maintenance.yml    | 43 ++++++-------
.github/workflows/android-reviewer.lock.yml   | 89 +++++++++------------------
.github/workflows/android-reviewer.md         |  2 +
.github/workflows/nightly-fix-finder.lock.yml | 89 +++++++++------------------
.github/workflows/nightly-fix-finder.md       |  2 +

The only hand-authored change is the four added lines above. Everything else is mechanical output of gh aw compile.

@jonathanpeppers
[gh-aw] use GITHUB_TOKEN for Copilot inference
f937d18 
Adds copilot-requests: write to the permissions block of both agentic workflows so they use the built-in GITHUB_TOKEN for Copilot CLI inference instead of the COPILOT_GITHUB_TOKEN PAT. AI credits now bill directly to the dotnet organization.

See: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/

Also bumps the gh-aw CLI from v0.79.6 -> v0.79.8 (recommended in the changelog), which regenerates agentics-maintenance.yml and the lock files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 15, 2026 22:15
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s gh-aw agentic workflows to use the new authentication model where Copilot CLI inference is performed using the built-in GITHUB_TOKEN (with copilot-requests: write) instead of a stored PAT secret, and regenerates the compiled/locked workflows with the newer gh-aw CLI.

Changes:

  • Added copilot-requests: write to workflow/job permissions in the source workflow .md files and in the generated lock workflows.
  • Regenerated lock workflows so COPILOT_GITHUB_TOKEN is sourced from ${{ github.token }} (and removed the COPILOT_GITHUB_TOKEN secret dependency).
  • Bumped gh-aw action/CLI pins from v0.79.6 to v0.79.8 (including the generated maintenance workflow).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/android-reviewer.md Adds copilot-requests: write permission to support Copilot inference via GITHUB_TOKEN.
.github/workflows/android-reviewer.lock.yml Regenerated lock: uses ${{ github.token }} for COPILOT_GITHUB_TOKEN, updates gh-aw pins, and propagates permissions changes.
.github/workflows/nightly-fix-finder.md Adds copilot-requests: write permission to support Copilot inference via GITHUB_TOKEN.
.github/workflows/nightly-fix-finder.lock.yml Regenerated lock: uses ${{ github.token }} for COPILOT_GITHUB_TOKEN, updates gh-aw pins, and propagates permissions/guardrail output renames.
.github/workflows/agentics-maintenance.yml Regenerated maintenance workflow with updated gh-aw pins/version banner.

@jonathanpeppers jonathanpeppers mentioned this pull request Jun 15, 2026
Merged
@jonathanpeppers jonathanpeppers added the ready-to-review This PR is ready to review/merge, I think any CI failures are just flaky (ignorable). label Jun 16, 2026
jonathanpeppers and others added 3 commits June 16, 2026 09:48
@jonathanpeppers
[gh-aw] disable AI credit guardrails (-1)
4bd5203 
Adds max-daily-ai-credits: -1 and max-ai-credits: -1 to both agentic workflow markdown files, matching dotnet/java-interop#1471. This disables the daily and per-run AIC guardrails for these workflows.

Also picks up .github/aw/actions-lock.json (v0.79.6 -> v0.79.8) which was missed in the previous commit on this branch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers
[gh-aw] cap max-ai-credits at 100M instead of -1
8684c4a 
Matches dotnet/java-interop#1472. Setting max-ai-credits: -1 disables enforcement *and token steering*, which causes the AWF api-proxy to return HTTP 403 when injecting Copilot provider credentials. 100M leaves token steering on while keeping per-run cost effectively uncapped.

max-daily-ai-credits: -1 is left as-is — that flag's -1 only toggles the daily guardrail and doesn't touch token steering.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers
Revert "copilot-requests: write" opt-in
513ddcd 
Matches dotnet/java-interop#1473. The "GITHUB_TOKEN-billed-to-org" feature requires the "Allow use of Copilot CLI billed to the organization" Copilot policy to be enabled at the org level, and the dotnet org has not enabled it yet — so without that policy the workflows fail with HTTP 403 from api.githubcopilot.com/models.

This commit removes copilot-requests: write from both agentic workflow markdown files and regenerates the lock files. COPILOT_GITHUB_TOKEN: secrets.COPILOT_GITHUB_TOKEN is restored, SECRET_COPILOT_GITHUB_TOKEN is re-added to the redaction step, and the gh-aw v0.79.8 + max-ai-credits/max-daily-ai-credits changes from earlier commits on this branch are intentionally retained.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers jonathanpeppers changed the title [gh-aw] use GITHUB_TOKEN for Copilot inference [gh-aw] tune AI-credit guardrails for reviewer + nightly-fix-finder Jun 16, 2026
@jonathanpeppers
[gh-aw] flip max-ai-credits back to -1 (PAT flow no longer needs 100M)
8713180 
Matches the latest force-push on dotnet/java-interop#1473. The 100M cap from dotnet#1472 was only needed when running on the GITHUB_TOKEN-billed-to-org flow, where the AWF api-proxy required token steering to inject Copilot provider credentials. Now that this branch reverts to the PAT-based flow (secrets.COPILOT_GITHUB_TOKEN), token steering is no longer in the path, so -1 is safe and matches dotnet#1471's original intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers jonathanpeppers changed the title [gh-aw] tune AI-credit guardrails for reviewer + nightly-fix-finder [gh-aw] disable AI-credit guardrails (max-daily / max-ai) Jun 16, 2026
@simonrozsival simonrozsival mentioned this pull request Jun 16, 2026
Draft
@jonathanpeppers jonathanpeppers merged commit 6d44613 into dotnet:main Jun 16, 2026
42 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@simonrozsival simonrozsival simonrozsival approved these changes

Assignees

No one assigned

Labels

ready-to-review This PR is ready to review/merge, I think any CI failures are just flaky (ignorable).

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathanpeppers @simonrozsival