Copilot Provider
When To Use This Provider
Use Copilot when your organization already uses Copilot and can provide a supported Copilot token to the CI job that runs DiffPal.
Prerequisites
- A DiffPal config committed at
.config/diffpal/config.yaml. - Node.js available in the CI job.
- A
COPILOT_GITHUB_TOKENCI secret for the Copilot CLI.
Installation
Install the Copilot CLI in CI:
npm install --global @github/copilot@1.0.61Authentication In CI
Store COPILOT_GITHUB_TOKEN as a protected CI secret. The Copilot CLI reads COPILOT_GITHUB_TOKEN, GH_TOKEN, then GITHUB_TOKEN; use COPILOT_GITHUB_TOKEN for DiffPal so the provider token stays separate from the platform publishing token.
Do not expose COPILOT_GITHUB_TOKEN to untrusted fork jobs. Keep the credentialed review job limited to trusted branches, same-repository pull requests, or maintainer-approved jobs that do not execute fork-controlled code.
Minimal Verified Configuration
Use examples/configs/copilot-github-token/config.yaml.
The provider selection is:
runtime:
providers:
copilot-acp:
type: copilot_acp
copilot_acp:
model: auto
diffpal:
provider: copilot-acpHow To Test Provider Connectivity
Validate the local runtime first:
diffpal doctor --profile ci --mode localThen run a provider-backed smoke review on a trusted branch:
diffpal --profile ci review local \
--base origin/main \
--head HEAD \
--feedback summary \
--out .artifacts/diffpal/findings.jsonExpected Result
The smoke review should complete, write .artifacts/diffpal/findings.json, and print a Markdown summary to stdout.
Security Considerations
Do not reuse the platform publishing token as the Copilot provider token. Keep COPILOT_GITHUB_TOKEN in protected CI secrets and run secret-backed review only in trusted branches, same-repository pull requests, or maintainer-approved jobs that do not execute untrusted code with secrets.
Common Failures
- The Copilot CLI is not installed before DiffPal runs.
COPILOT_GITHUB_TOKENis missing from the trusted CI job.- The token lacks the Copilot Requests permission required by the Copilot CLI.
- A classic PAT is used where the Copilot CLI requires a fine-grained token.
- The selected
diffpal.providerdoes not match thecopilot-acpprovider entry.
Links To Complete CI Examples
Next step: choose the host-specific CI example that matches your code host.
