Add PATs rotation to agentic workflow(s)#13496
Merged
JanKrivanek merged 4 commits intomainfrom Apr 8, 2026
Merged
Conversation
Regenerate lock files with the new compiler version. No functional changes.
Copy the select-copilot-pat composite action from dotnet/skills. This selects a random Copilot PAT from a numbered pool of secrets to distribute API load across multiple PATs. This is a stop-gap until organization-level billing is available for Agentic Workflows. See .github/actions/select-copilot-pat/README.md.
Use the select-copilot-pat action to randomly select from a pool of COPILOT_GITHUB_TOKEN / COPILOT_GITHUB_TOKEN_1..9 secrets, distributing Copilot API load across multiple PATs. Currently only COPILOT_GITHUB_TOKEN is configured; additional secrets can be added as COPILOT_GITHUB_TOKEN_1 through COPILOT_GITHUB_TOKEN_9.
ViktorHofer
approved these changes
Apr 7, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s agentic “Close Stale Pull Requests” workflow by recompiling it with gh-aw v0.67.1 and introducing a PAT-rotation mechanism (randomly selecting from a pool of Copilot PAT secrets) via a new reusable composite action.
Changes:
- Add a reusable composite action (
.github/actions/select-copilot-pat) to randomly select a Copilot PAT from a secret pool. - Wire the selected PAT into the agentic workflow via
pre_activationoutputs + anengine.envcase(...)override ofCOPILOT_GITHUB_TOKEN. - Recompile the generated workflow lock file with
gh-awv0.67.1 (large regenerated diff).
Show a summary per file
| File | Description |
|---|---|
.github/workflows/close-stale-prs.agent.md |
Adds pre-activation steps and engine env override to rotate Copilot PAT usage. |
.github/workflows/close-stale-prs.agent.lock.yml |
Regenerated compiled workflow output (includes PAT selection wiring and other compiler-output changes). |
.github/aw/actions-lock.json |
Adds github/gh-aw-actions/setup@v0.67.1 pin for the new compiler version. |
.github/actions/select-copilot-pat/README.md |
Documents how to onboard and configure the PAT pool + workflow wiring. |
.github/actions/select-copilot-pat/action.yml |
Implements the composite action that selects a non-empty secret index (0–9) and outputs it. |
Copilot's findings
- Files reviewed: 5/5 changed files
- Comments generated: 4
…stead of COPILOT_PAT_# Agent-Logs-Url: https://github.com/dotnet/msbuild/sessions/7cf4fd9a-e8bf-43c6-bd2e-9278df2c8be3 Co-authored-by: JanKrivanek <3809076+JanKrivanek@users.noreply.github.com>
auto-merge was automatically disabled
April 7, 2026 10:47
Head branch was pushed to by a user without write access
Member
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Using a single PAT shared across all agentic workflows can lead to rate-limiting. This PR introduces a PAT-rotation mechanism to randomly select from a pool of Copilot PAT secrets.
Changes Made
COPILOT_GITHUB_TOKEN/COPILOT_GITHUB_TOKEN_1..9naming conventionREADME.mdin.github/actions/select-copilot-patto document theCOPILOT_GITHUB_TOKEN(_#)naming convention used in this repo (replacing the genericCOPILOT_PAT_#placeholder examples)Testing
COPILOT_GITHUB_TOKENandCOPILOT_GITHUB_TOKEN_1throughCOPILOT_GITHUB_TOKEN_9in both theselect-copilot-patstep env bindings and thecase(...)expressionNotes
The PAT pool uses
COPILOT_GITHUB_TOKENas the base secret (index 0) andCOPILOT_GITHUB_TOKEN_1throughCOPILOT_GITHUB_TOKEN_9for additional pool entries. This is a stop-gap workaround until organization/enterprise billing is offered for agentic workflows.