Skip to content

Expand token creation documentation in README #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 6 commits into from
Dec 20, 2025
Merged

Expand token creation documentation in README #9

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bbb4763
Initial plan
Copilot Dec 20, 2025
bf379e0
Add comprehensive token creation details to README
Copilot Dec 20, 2025
29e75e2
Remove CLI instructions for token management, keep only UI method
Copilot Dec 20, 2025
6dcee3b
Restructure README: document COPILOT_GITHUB_TOKEN end-to-end first
Copilot Dec 20, 2025
d85add4
Remove Security Best Practices section
Copilot Dec 20, 2025
8d188f0
Convert numbered lists to checkboxes for todo items
Copilot Dec 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 80 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,86 @@ A template to get started with [GitHub Agentic Workflows](https://githubnext.git

## Quick Setup

To use Copilot in your workflows, configure a GitHub token:

1. Create a [Personal Access Token](https://github.com/settings/personal-access-tokens/new) with **Copilot Requests** permission
2. Add it as a repository secret named `COPILOT_GITHUB_TOKEN`:
- Go to **Settings** > **Secrets and variables** > **Actions**
- Click **New repository secret**
- Name: `COPILOT_GITHUB_TOKEN`
- Paste your token and click **Add secret**
To use GitHub Agentic Workflows, you'll need to configure GitHub tokens for authentication. GitHub Actions provides a default `GITHUB_TOKEN` automatically, but you'll need to create additional tokens for specific features.

### Token Overview

| Token Name | When You Need It | Required For |
|------------|------------------|--------------|
| `COPILOT_GITHUB_TOKEN` | Copilot workflows | AI agent tasks, Copilot engine |
| `GH_AW_GITHUB_TOKEN` | Cross-repo operations | Accessing other repositories, remote GitHub tools |
| `GH_AW_PROJECT_GITHUB_TOKEN` | GitHub Projects v2 | Creating/updating project boards |
| `GH_AW_AGENT_TOKEN` | Agent assignments | Assigning Copilot bots to issues/PRs |

### Creating Tokens

#### 1. Copilot Token (Most Common)

For workflows using the Copilot engine or AI features:

1. Go to [GitHub Settings → Personal Access Tokens → Fine-grained tokens](https://github.com/settings/personal-access-tokens/new)
2. Configure the token:
- **Token name**: "Copilot Agentic Workflows"
- **Resource owner**: Your user account
- **Repository access**: Choose "Public repositories" or select specific repos
- **Permissions**:
- **Account permissions** → **Copilot Requests**: Access ✅ (Required)
3. Click **Generate token** and copy the token value

#### 2. Cross-Repository Token (For Multi-Repo Workflows)

For workflows that need to access multiple repositories:

1. Go to [GitHub Settings → Personal Access Tokens → Fine-grained tokens](https://github.com/settings/personal-access-tokens/new)
2. Configure the token:
- **Token name**: "Agentic Workflows Cross-Repo"
- **Repository access**: "All repositories" or select specific repos
- **Permissions**:
- **Repository permissions**:
- **Contents**: Read (minimum) or Read+Write (for creating PRs)
- **Issues**: Read+Write (for issue operations)
- **Pull requests**: Read+Write (for PR operations)
3. Click **Generate token** and copy the token value

#### 3. Projects Token (For GitHub Projects v2)

For workflows that manage GitHub Projects:

**For User-owned Projects:**
- Use a [Classic PAT](https://github.com/settings/tokens/new) with `project` scope
- Fine-grained PATs do **not** work with user-owned Projects

**For Organization-owned Projects:**
1. Go to [GitHub Settings → Personal Access Tokens → Fine-grained tokens](https://github.com/settings/personal-access-tokens/new)
2. Configure the token:
- **Token name**: "Agentic Workflows Projects"
- **Repository access**: Select specific repos or "All repositories"
- **Organization permissions** (must be explicitly granted):
- **Organization access**: Grant to the target organization
- **Projects**: Read+Write
3. Click **Generate token** and copy the token value

### Adding Tokens to Your Repository

After creating tokens, add them as repository secrets:

1. Go to your repository → **Settings** → **Secrets and variables** → **Actions**
2. Click **New repository secret**
3. Enter the secret name (e.g., `COPILOT_GITHUB_TOKEN`) and paste your token value
4. Click **Add secret**
5. Repeat for each token you created

### Security Best Practices
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot remove section

Copy link
Copy Markdown
Contributor Author

Copilot AI Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the Security Best Practices section. (d85add4)


- **Least privilege**: Only grant the minimum permissions needed for each token
- **Scope to specific repos**: Use fine-grained tokens with access to only necessary repositories
- **Use workflow-level permissions**: Restrict `GITHUB_TOKEN` using `permissions:` in your workflows:
```yaml
permissions:
contents: read
issues: write
```
- **Consider GitHub Apps**: For production workflows, use GitHub App tokens for enhanced security with short-lived, auto-revoked credentials

## Learn More

Expand Down