Summary
On July 2, 2026 GitHub removed the need for personal access tokens when running Copilot CLI inside GitHub Actions; workflows can now authenticate with the built-in GITHUB_TOKEN using a copilot-requests write permission, cutting the operational and security risk of managing long-lived PATs.
What changed
Copilot CLI in GitHub Actions can authenticate with the workflow's built-in GITHUB_TOKEN (requiring copilot-requests: write) instead of a personal access token; AI credits used in an org-owned repo are billed to the organization, gated by a Copilot policy enabled by default.
Why it matters
Eliminating long-lived PATs for agent automation removes a common credential-leak and over-permissioning risk, and makes it safer to run coding agents inside CI at scale - a concrete security improvement for agentic workflows.
Evidence excerpt
You can now run GitHub Copilot CLI in GitHub Actions using the built-in GITHUB_TOKEN, eliminating the operational and security risks of managing long-lived personal access tokens (PATs).