actions/setup-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:v0.0.2
Branches Tags
actions:main
actions:v0.0.5 actions:v0 actions:v0.0.4 actions:v0.0.3 actions:v0.0.2 actions:v0.0.1
...
compare: actions:v0
Branches Tags
actions:main
actions:v0.0.5 actions:v0 actions:v0.0.4 actions:v0.0.3 actions:v0.0.2 actions:v0.0.1

11 Commits
v0.0.2 ... v0

Author SHA1 Message Date
Devraj Mehta
01f2415f3d Merge pull request #9 from actions/devm33/check-write
Some checks failed
Test / test (ubuntu-24.04-arm) (push) Has been cancelled
Details
Test / test (ubuntu-latest) (push) Has been cancelled
Details 
Add step to warn about unnecessary write permissions
 2026-03-16 23:14:51 -04:00
Devraj Mehta
0d854367d9 Add step to warn about unnecessary write permissions 
Probes the github-token for write access to actions, checks, contents,
deployments, issues, packages, pages, pull-requests, security-events,
and statuses. Emits a visible warning if any write scopes are detected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-16 23:14:29 -04:00
Devraj Mehta
f070e091bc Merge pull request #8 from actions/fix-release-tag-fetch 
Fix: fetch new tag before updating major version tag
 2026-03-10 23:21:50 -04:00
Devraj Mehta
bf52dcb0f1 Fix: fetch new tag before updating major version tag 
gh release create creates the tag on the remote, so we need to fetch
it before we can reference it locally for the major version tag update.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-10 22:00:28 -04:00
Devraj Mehta
72d90beb74 Merge pull request #7 from actions/slim 
Fix runner name
 2026-03-10 21:48:37 -04:00
Devraj Mehta
95516055b3 Fix runner name 2026-03-10 21:48:07 -04:00
Devraj Mehta
d5f1a25f77 Merge pull request #6 from actions/release-workflow 
Add release workflow
 2026-03-10 21:46:26 -04:00
Devraj Mehta
d278e42d43 Add release workflow 
Add a workflow_dispatch workflow that bumps the version (patch/minor/major),
creates a GitHub release with auto-generated notes, and updates the major
version tag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-10 21:45:33 -04:00
Devraj Mehta
14747e0edd Merge pull request #5 from actions/token 
Fix version
 2026-03-10 21:37:53 -04:00
Devraj Mehta
9f29266402 Fix duplicate env key in Install Copilot CLI step 
Merge GITHUB_TOKEN into the single env block to fix the 'env is already
defined' validation error in GitHub Actions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-10 20:55:51 -04:00
Devraj Mehta
5d0b3111f2 Update README to use @v0 version tag 
The v1 tag doesn't exist yet — use v0 to match the current 0.x.x release series.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-10 20:55:09 -04:00
3 changed files with 131 additions and 7 deletions
Expand all files Collapse all files

73
.github/workflows/release.yml vendored Normal file
View File

@@ -0,0 +1,73 @@
name: Release
on:
workflow_dispatch:
inputs:
bump:
description: Version bump type
required: true
default: patch
type: choice
options:
- patch
- minor
- major
jobs:
release:
runs-on: ubuntu-slim
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine new version
id: version
run: |
# Get the latest semver tag
LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-v:refname | head -n1)
if [ -z "$LATEST_TAG" ]; then
echo "No existing version tag found"
exit 1
fi
# Strip leading 'v' and split into components
VERSION="${LATEST_TAG#v}"
IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
case "${{ inputs.bump }}" in
major)
MAJOR=$((MAJOR + 1))
MINOR=0
PATCH=0
;;
minor)
MINOR=$((MINOR + 1))
PATCH=0
;;
patch)
PATCH=$((PATCH + 1))
;;
esac
NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}"
echo "previous=$LATEST_TAG" >> "$GITHUB_OUTPUT"
echo "new=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "major=v${MAJOR}" >> "$GITHUB_OUTPUT"
echo "Bumping $LATEST_TAG -> $NEW_VERSION"
- name: Create GitHub release
run: |
gh release create "${{ steps.version.outputs.new }}" \
--generate-notes \
--notes-start-tag "${{ steps.version.outputs.previous }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update major version tag
run: |
git fetch origin tag "${{ steps.version.outputs.new }}"
git tag -f "${{ steps.version.outputs.major }}" "${{ steps.version.outputs.new }}"
git push -f origin "${{ steps.version.outputs.major }}"

10
README.md
View File

@@ -6,10 +6,10 @@ A GitHub Action to install the [GitHub Copilot CLI](https://github.com/github/co
```yaml
steps:
- uses: actions/setup-copilot@v1
- uses: actions/setup-copilot@v0
with:
version: "latest" # optional, defaults to "latest"
github-token: ${{ secrets.COPILOT_TOKEN }} # optional, defaults to github.token
github-token: ${{ secrets.GITHUB_TOKEN }} # optional, defaults to github.token
- run: copilot --version
```
@@ -31,13 +31,13 @@ steps:
### Install latest version
```yaml
- uses: actions/setup-copilot@v1
- uses: actions/setup-copilot@v0
```
### Install a specific version
```yaml
- uses: actions/setup-copilot@v1
- uses: actions/setup-copilot@v0
with:
version: "1.2.3"
```
@@ -45,7 +45,7 @@ steps:
### Use with a custom token
```yaml
- uses: actions/setup-copilot@v1
- uses: actions/setup-copilot@v0
with:
github-token: ${{ secrets.GH_TOKEN }}
```

55
action.yml
View File

@@ -27,14 +27,65 @@ runs:
env:
VERSION: ${{ inputs.version }}
PREFIX: ${{ runner.tool_cache }}/copilot
run: curl -fsSL https://gh.io/copilot-install | bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
run: curl -fsSL https://gh.io/copilot-install | bash
- name: Add to PATH
shell: bash
run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH"
- name: Check for unnecessary write permissions
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
run: |
API="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY"
writes_found=()
# Probe write access by sending invalid requests to write endpoints.
# 422/409 = token has write permission (passed auth, failed validation)
# 403 = token does not have write permission
probe_write() {
local scope="$1" url="$2" method="${3:-POST}" body="${4:-\{\}}"
code=$(curl -s -o /dev/null -w "%{http_code}" \
-X "$method" \
-H "Authorization: bearer $GH_TOKEN" \
-H "Accept: application/vnd.github+json" \
"$url" -d "$body")
case "$code" in
2[0-9][0-9]|422|409) writes_found+=("$scope") ;;
esac
}
probe_write "actions" "$API/actions/workflows/0/dispatches" POST '{"ref":"__probe__"}'
probe_write "checks" "$API/check-runs" POST '{}'
probe_write "contents" "$API/contents/__probe__" PUT '{"message":"probe"}'
probe_write "deployments" "$API/deployments" POST '{}'
probe_write "issues" "$API/issues" POST '{}'
probe_write "packages" "$GITHUB_API_URL/user/packages/container/__nonexistent__/versions/0" DELETE ''
probe_write "pages" "$API/pages" POST '{}'
probe_write "pull-requests" "$API/pulls" POST '{}'
probe_write "statuses" "$API/statuses/$GITHUB_SHA" POST '{}'
if [ ${#writes_found[@]} -gt 0 ]; then
echo ""
echo "::warning::⚠️ The github-token passed to setup-copilot has write permissions: ${writes_found[*]}. Granting write permissions to the Copilot CLI in Actions workflows is a security risk. Recommend scoping your token with least-privilege permissions."
{
echo "### ⚠️ setup-copilot: Excessive Token Permissions"
echo ""
echo "The \`github-token\` input has **write** access to: \`${writes_found[*]}\`."
echo ""
echo "Giving write permissions to the Copilot CLI in Actions workflows is a security risk."
echo ""
echo "**Recommendation:** add a \`permissions\` block to your job:"
echo '```yaml'
echo "permissions:"
echo " contents: read"
echo '```'
echo "and add a separate job with write permissions for steps that need it."
} >> "$GITHUB_STEP_SUMMARY"
fi
- name: Verify installation
id: version
shell: bash