{"id":4328,"date":"2026-06-15T08:06:11","date_gmt":"2026-06-15T08:06:11","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/15\/github-removes-pat-requirement-for-agentic-workflows\/"},"modified":"2026-06-15T08:06:11","modified_gmt":"2026-06-15T08:06:11","slug":"github-removes-pat-requirement-for-agentic-workflows","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/15\/github-removes-pat-requirement-for-agentic-workflows\/","title":{"rendered":"GitHub Removes PAT Requirement for Agentic Workflows"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

GitHub has quietly removed one of the more annoying friction points in agentic automation \u2014 and the security implications are worth paying attention to.<\/b><\/p>\n

GitHub Agentic Workflows can now use GitHub Actions\u2019 built-in <\/span>GITHUB_TOKEN<\/span> instead of a personal access token (PAT). That means developers no longer need to create, store, or rotate a PAT to run agentic workflows, eliminating both the operational hassle and the security risks that come with managing long-lived tokens at scale.<\/span><\/p>\n

It\u2019s a small config change. The security payoff is not small.<\/span><\/p>\n

Why PATs Were a Problem<\/span><\/h3>\n

Personal access tokens have always carried risk. They\u2019re long-lived, often broadly scoped, and easy to forget about. In an agentic context \u2014 where workflows run autonomously, touching repositories, triggering CI\/CD pipelines, and interacting with sensitive resources \u2014 a leaked or misconfigured PAT can create serious exposure.<\/span><\/p>\n

A recent arXiv paper flagged \u201cagentic workflow injection\u201d as an emerging attack vector, in which untrusted repository content is passed into agent prompts or downstream workflow logic. When a PAT with wide permissions is sitting in that environment, a compromised workflow becomes a much bigger problem.<\/span><\/p>\n

The shift to <\/span>GITHUB_TOKEN<\/span> scopes things down by default. The token is short-lived, tied to the specific workflow run, and constrained by the permissions you define in the workflow file itself.<\/span><\/p>\n

How the New Billing Model Works<\/span><\/h3>\n

The change also affects how AI usage gets tracked and billed. When an agentic workflow runs in an organization-owned repository using the Actions token, AI credits are billed directly to the organization rather than to an individual user. To enable this, organizations need to turn on the \u201cAllow use of Copilot CLI billed to the organization\u201d Copilot policy \u2014 which is on by default if the existing Copilot CLI policy is already enabled.<\/span><\/p>\n

Developers configure this by adding <\/span>copilot-requests: Write<\/span> to the permissions section in the frontmatter of the agentic workflow markdown file, then recompiling and pushing the updated lockfile. Organizations also have access to cost management tools within GitHub Agentic Workflows to monitor, cap, and attribute token usage per workflow run.<\/span><\/p>\n

That\u2019s a meaningful shift for enterprise teams. It moves AI spend from individual developer accounts into organizational budgets, where it\u2019s easier to monitor and control.<\/span><\/p>\n

What GitHub Agentic Workflows Actually Do<\/span><\/h3>\n

GitHub Agentic Workflows let teams automate reasoning-based tasks \u2014 issue triage, CI failure analysis, documentation updates \u2014 using coding agents inside GitHub Actions. Workflows are defined in natural language Markdown files, which GitHub compiles into standard Actions YAML. Because they run as standard Actions, they reuse existing runner groups and policy constraints.<\/span><\/p>\n

Agents run with read-only permissions by default. Safe outputs are applied via separate jobs with scoped write tokens, and a threat-detection job scans all proposed changes before they\u2019re applied. The Agent Workflow Firewall blocks outbound traffic except to explicitly allowlisted domains.<\/span><\/p>\n

The security model is layered, which matters for teams that need to run autonomous workflows across sensitive codebases.<\/span><\/p>\n

Early adopters like Carvana are using the platform to automate work across multiple repositories, while Marks & Spencer has built a catalog of reusable workflows covering security, quality, and delivery that teams can adopt across any repo.<\/span><\/p>\n

\u201cReplacing personal access tokens with run-scoped Actions tokens moves agent authorization off individual developers and into the organization\u2019s control plane,\u201d said Mitch Ashley, VP and practice lead for software lifecycle engineering at The Futurum Group<\/a>. \u201cAgent authority is decoupled from any one person\u2019s identity and bound to the run that exercises it. Platform teams now govern that authority at the level of each workflow run, defining and auditing what a run can touch and where its spend lands. The autonomy they grant agents is bounded by how precisely they scope and observe those permissions.\u201d<\/span><\/p>\n

The Bigger Picture<\/span><\/h3>\n

The PAT elimination is part of a broader push to make agentic workflows production-ready, not just experimental. Teams have been cautious about giving AI agents write access to repositories, and for good reason. But the combination of scoped tokens, sandboxed execution, and approval gates changes the risk calculus.<\/span><\/p>\n

The challenge was never getting an agent to open a pull request \u2014 it was trusting the output enough to merge it. GitHub is building the controls that give teams the confidence to find out.<\/span><\/p>\n

The feature is available across all Copilot plans, from Copilot Free through Copilot Enterprise. Teams already using GitHub Agentic Workflows should upgrade to the latest version of the CLI (<\/span>gh extension upgrade aw<\/span>) to access the new authentication option.<\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

GitHub has quietly removed one of the more annoying friction points in agentic automation \u2014 and the security implications are […]<\/p>\n","protected":false},"author":1,"featured_media":4329,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4328","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4328"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4328\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4329"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}