Comment by timrogers
20 days ago
As we've built Copilot coding agent, we've put a lot of thought and work into our security story.
One of the things we've done here is to treat Copilot's commits like commits from a first-time contributor to an open source project.
When Copilot pushes changes, your GitHub Actions workflows won't run by default, and you'll have to click the "Approve and run workflows" button in the merge box.
That gives you the chance to run Copilot's code before it runs in Actions and has access to your secrets.
(Source: I'm on the product team for Copilot coding agent.)
The announcement https://github.blog/news-insights/product-news/github-copilo... seems to position GitHub Actions as a core part of the Copilot coding agent’s architecture. From what I understand in the documentation and your comment, GitHub Actions is triggered later in the flow, mainly for security reasons. Just to clarify, is GitHub Actions also used in the development environment of the agent, or only after the code is generated and pushed?
Nice! Thanks for that info