Is there a way to authenticate programmatically using the GitHub Copilot CLI for Enterprise Cloud customers?

[yuribreion1]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Copilot CLI

Body

We cannot authenticate in GitHub Copilot CLI within an Actions workflow. Here is an example:

jobs:
  copilot_cli_test:
    name: Send test message
    runs-on: ubuntu-latest
    env:
      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
    steps:
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ inputs.node_version }}

      - name: Install Copilot CLI
        run: npm install -g @github/copilot

      - name: Run Copilot CLI
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          copilot login --host https://company.ghe.com
          copilot -p "Review the git log for this repository and write a bullet point summary of all code changes that were made today, with links to the relevant commit on GitHub. Above the bullet list give a description (max 100 words) summarizing the changes made. Write the details to summary.md" --allow-tool='shell(git:*)' --allow-tool=write --no-ask-user
          cat summary.md >> "$GITHUB_STEP_SUMMARY"

Even following the docs and instructions from GitHub, the workflow fails saying that no authentication was found, or asks for device authentication:

To authenticate, visit https://company.ghe.com/login/device and enter code XXXX-XXXX.
Waiting for authorization...
Failed to copy to clipboard. Please visit https://company.ghe.com/login/device and enter the code XXXX-XXXX manually.
Failed to open browser (exit code 3). Please visit https://company.ghe.com/login/device and enter the code XXXX-XXXX manually.

References

• https://docs.github.com/en/enterprise-cloud@latest/copilot/how-tos/copilot-cli/set-up-copilot-cli/troubleshoot-copilot-cli-auth#check-whether-an-authentication-environment-variable-is-set

Any feedback would be much appreciated.

[Luke-Corwin]

Hey YuriBreion1. From the behavior you’re seeing, it looks like the Copilot CLI is not picking up the COPILOT_GITHUB_TOKEN environment variable and is falling back to the interactive device-flow authentication process.

A few things I’d check:

• Is COPILOT_GITHUB_TOKEN a token type that the Copilot CLI actually supports for non-interactive authentication? Not all GitHub tokens are interchangeable, and some features require a user authentication flow rather than a PAT or Actions-provided token.
• Are you using GitHub Enterprise Server (company.ghe.com) with Copilot enabled and licensed for the account associated with the token? The CLI may be validating more than just API access.
• Does authentication work if you skip copilot login entirely and invoke the CLI directly with the token present in the environment? It may be that copilot login always initiates the device flow regardless of whether a token is already available.
• Have you confirmed that the token is visible to the process at runtime? A quick test such as checking whether the variable exists (without printing its value) can help rule out a secrets or environment propagation issue.

My suspicion is that the issue is less about GitHub Actions and more about how the Copilot CLI currently handles authentication. If the CLI only supports user-based authentication through the device flow, then running it non-interactively inside Actions may not be supported yet, even though a token is available.

I’d be interested to hear from the GitHub team whether fully non-interactive authentication for Copilot CLI in Actions workflows is officially supported today, and if so, what token type and login flow are expected.

[yuribreion1]

Hey @Luke-Corwin, thank you for sharing your thoughts.

• Is COPILOT_GITHUB_TOKEN a token type that the Copilot CLI actually supports for non-interactive authentication? Not all GitHub tokens are interchangeable, and some features require a user authentication flow rather than a PAT or Actions-provided token.
  • I was following this documentation from GitHub, and the COPILOT_GITHUB_TOKEN takes the highest precedence.
• Are you using GitHub Enterprise Server (company.ghe.com) with Copilot enabled and licensed for the account associated with the token? The CLI may be validating more than just API access.
  • This is a GitHub Enterprise Cloud with data residency that also has a GitHub Copilot Business license tied to the account.
• Does authentication work if you skip copilot login entirely and invoke the CLI directly with the token present in the environment? It may be that copilot login always initiates the device flow regardless of whether a token is already available.
  • It works fine if I use on my desktop with the same account and host.
• Have you confirmed that the token is visible to the process at runtime? A quick test such as checking whether the variable exists (without printing its value) can help rule out a secrets or environment propagation issue.
  • The token is visible and logged when debug is enabled.

I think it works if you use the public cloud on GitHub, but the GitHub Copilot CLI is not ready for such interaction when it comes from the Enterprise Cloud.

[mitrajotiprova-droid]

Yes. For GitHub Copilot CLI Enterprise Cloud customers, programmatic (non-interactive) authentication is supported and is the recommended approach for automation, CI/CD pipelines, containers, and headless environments.

Option 1: Use an environment variable (recommended)

Set one of the supported environment variables:

export COPILOT_GITHUB_TOKEN=<your_token>

or

export GH_TOKEN=<your_token>

or

export GITHUB_TOKEN=<your_token>

[yuribreion1]

Thank you @mitrajotiprova-droid for your feedback, but the result is the same, no success:

This is the log from the workflow:

Run export COPILOT_GITHUB_TOKEN=***
  export COPILOT_GITHUB_TOKEN=***
  copilot login --host https://mycompany.ghe.com/
  copilot -p "Review the git log for this repository and write a bullet point summary of all code changes that were made today, with links to the relevant commit on GitHub. Above the bullet list give a description (max 100 words) summarizing the changes made. Write the details to summary.md" --allow-tool='shell(git:*)' --allow-tool=write --no-ask-user
  cat summary.md >> "$GITHUB_STEP_SUMMARY"
  shell: /usr/bin/bash -e {0}
  env:
    COPILOT_GITHUB_TOKEN: ***
To authenticate, visit https://mycompany.ghe.com/login/device and enter code XXX-XXX.
Waiting for authorization...
Failed to copy to clipboard. Please visit https://mycompany.ghe.com/login/device and enter the code XXX-XXX manually.
Failed to open browser (exit code 3). Please visit https://mycompany.ghe.com/login/device and enter the code XXX-XXX manually.

The workflow job:

jobs:
  copilot_cli_test:
    name: Send test message
    runs-on: ubuntu-latest
    env:
      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
    steps:
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ inputs.node_version }}

      - name: Install Copilot CLI
        run: npm install -g @github/copilot

      - name: Run Copilot CLI
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
        run: |
          export COPILOT_GITHUB_TOKEN=${{ secrets.COPILOT_GITHUB_TOKEN }}
          copilot login --host https://mycompany.ghe.com
          copilot -p "Review the git log for this repository and write a bullet point summary of all code changes that were made today, with links to the relevant commit on GitHub. Above the bullet list give a description (max 100 words) summarizing the changes made. Write the details to summary.md" --allow-tool='shell(git:*)' --allow-tool=write --no-ask-user
          cat summary.md >> "$GITHUB_STEP_SUMMARY"

[rehuux]

You've done everything correctly, but the issue is fundamental — Copilot CLI does NOT support automation in GitHub Actions. The COPILOT_GITHUB_TOKEN environment variable is ignored for authentication because Copilot CLI is designed for interactive human use only.

Why nothing works:

What you tried Why it failed
COPILOT_GITHUB_TOKEN env var Docs show this is for local CLI only, not for headless CI
copilot login --host Always triggers device flow (needs human to visit URL)
Fine-grained PAT with Copilot permissions Still requires interactive browser OAuth first

Real solutions that WILL work:

Option 1: Use Copilot REST API directly (Recommended)

Instead of CLI, call the Copilot API from your workflow:

- name: Call Copilot API
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    curl -X POST https://api.githubcopilot.com/chat/completions \
      -H "Authorization: Bearer $GITHUB_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "model": "copilot-codex",
        "messages": [{"role": "user", "content": "Review git log and summarize changes"}]
      }'

Note: This requires your GitHub token to have Copilot API access (Enterprise Cloud with Copilot Business/Enterprise).

Option 2: Use a different LLM API (Easiest)

Copilot CLI in CI is not officially supported. Use OpenAI or Anthropic API instead:

- name: Use OpenAI API
  env:
    OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
  run: |
    git log --oneline > commits.txt
    curl https://api.openai.com/v1/chat/completions \
      -H "Authorization: Bearer $OPENAI_API_KEY" \
      -H "Content-Type: application/json" \
      -d '{"model":"gpt-4","messages":[{"role":"user","content":"Summarize these commits: '$(cat commits.txt)'"}]}'

Option 3: Accept that Copilot CLI cannot run in Actions

This is by design. GitHub CLI (gh) works in Actions. Copilot CLI does not. No workaround exists because the device flow is hardcoded.

Final answer:

Copilot CLI is NOT designed for GitHub Actions. Use the Copilot REST API or a different LLM API for automation. The behavior you're seeing is intentional security — they don't allow headless automation with Copilot CLI.

[yuribreion1]

I don't get when you mention "Copilot CLI is NOT designed for GitHub Actions". There is an official document saying that is possible:

You can run GitHub Copilot CLI in a GitHub Actions workflow to automate AI-powered tasks as part of your CI/CD process. For example, you can summarize recent repository activity, generate reports, or scaffold project content. GitHub Copilot CLI runs on the Actions runner like any other CLI tool, so you can install it during a job and invoke it from workflow steps.

[rehuux]

The issue: GitHub Copilot CLI does NOT support authentication via COPILOT_GITHUB_TOKEN in CI/CD environments like GitHub Actions. The device flow (asking for a code) is the expected behavior because Copilot CLI requires interactive browser-based OAuth.

Why it fails in Actions:

· COPILOT_GITHUB_TOKEN environment variable is ignored in non-interactive terminals
· Copilot CLI always falls back to device authentication when no valid session exists
· You cannot bypass the "visit URL and enter code" step in a headless CI environment

Official GitHub docs confirm: The token must be a fine-grained personal access token with "Copilot Requests" permission, but even then, it's designed for local CLI use, not for GitHub Actions workflows.

Workaround (if you absolutely need this):

1. Pre-authenticate and cache the session (not officially supported, but possible):

- name: Restore Copilot session cache
  uses: actions/cache@v3
  with:
    path: ~/.config/github-copilot
    key: copilot-session-${{ runner.os }}

2. Use GitHub Copilot API directly instead of CLI:
   · Call https://api.githubcopilot.com/chat/completions with a valid token
   · This works in Actions with a fine-grained PAT
3. Alternative: Use a different LLM in CI (like OpenAI API or Anthropic) which has proper API keys for automation.

Bottom line: Copilot CLI is designed for human interactive use, not for CI/CD automation. The behavior you're seeing is intentional, not a bug. Use the REST API instead if you need automation.