diff --git a/docs/src/content/docs/guides/upgrading.md b/docs/src/content/docs/guides/upgrading.md index 447fa9e3281..a36ecd12e19 100644 --- a/docs/src/content/docs/guides/upgrading.md +++ b/docs/src/content/docs/guides/upgrading.md @@ -72,7 +72,7 @@ gh aw upgrade --dir custom/workflows ## Step 3: Review the Changes -Run `git diff .github/workflows/` to verify the changes. Typical migrations include `sandbox: false` → `sandbox.agent: false`, `daily at` → `daily around`, and removal of deprecated `network.firewall` and `mcp-scripts.mode` fields. +Run `git diff .github/workflows/` to verify the changes. Typical migrations include `sandbox: false` → `sandbox.agent: false`, `app:` → `github-app:`, `daily at` → `daily around`, and removal of deprecated `network.firewall` and `mcp-scripts.mode` fields. ## Step 4: Commit and Push diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index 340348c7000..fffaf3b435d 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -460,6 +460,24 @@ To use a different model, set the `GH_AW_MODEL_AGENT_COPILOT` repository variabl > [!NOTE] > Copilot BYOK defaults apply only to `engine: copilot` workflows. Other engines are unchanged. +#### Copilot Requests (`features.copilot-requests`) + +> [!NOTE] +> This feature is in **private preview**. It will not work unless your account has been onboarded. + +Enables GitHub Actions token authentication for Copilot agent workflows, removing the need for a separate PAT or GitHub App token. When set, the compiler: + +1. Injects `copilot-requests: write` into the workflow's GitHub token permissions. +2. Sets `S2STOKENS=true` in the Copilot CLI execution environment, enabling service-to-service token exchange. +3. Activates the `cli-proxy` sidecar so the CLI proxy image is included in container pre-pulls for threat-detection jobs. + +```yaml wrap +features: + copilot-requests: true +``` + +Without this flag, Copilot workflows authenticate using a PAT stored as `COPILOT_GITHUB_TOKEN`. With `copilot-requests: true`, the workflow uses the built-in `github.token` instead. See [Authentication](/gh-aw/reference/auth/) for PAT-based setup. + #### AWF Failure Diagnostics (`features.awf-diagnostic-logs`) Enables AWF Docker operational diagnostics collection on failure by adding `--diagnostic-logs` to AWF runtime arguments.