jeffhandley
diff --git a/‎.github/actions/select-copilot-pat/README.md‎
Lines changed: 115 additions & 0 deletions b/‎.github/actions/select-copilot-pat/README.md‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎.github/actions/select-copilot-pat/action.yml‎
Lines changed: 53 additions & 0 deletions b/‎.github/actions/select-copilot-pat/action.yml‎
Lines changed: 53 additions & 0 deletions
@@ -0,0 +1,115 @@
+# Select Copilot PAT
+
+Selects a random Copilot PAT from a numbered pool of secrets. This addresses limitations that arise from having a single PAT shared across all agentic workflows, such as rate-limiting.
+
+**This is a stop-gap workaround.** As soon as organization/enterprise billing is offered for agentic workflows, this approach will be removed from our workflows.
+
+## Repository Onboarding
+
+To use this action in a repository:
+
+1. Copy this `select-copilot-pat` folder into the repository under `.github/actions/select-copilot-pat`, including both the `README.md` and `action.yml`.
+2. Merge those additions into the repository and then follow the instructions for PAT Creation and Usage below.
+
+## PAT Management
+
+Team members provide PATs into the pools for the repository by adding them as repository secrets with secret names matching the pattern of `<pool_name>_<0-9>`, such as `COPILOT_PAT_0`.
+
+[Use this link to prefill the PAT creation form with the required settings][create-pat]:
+
+1. **Resource owner** is your **user account**, not an organization.
+2. **Copilot Requests (Read)** must be the only permission granted.
+3. **8-day expiration** must be used, which enforces a weekly renewal.
+4. **Repository access** set to **Public repositories** only.
+
+The **Token Name** _does not_ need to match the secret name and is only visible to the owner of the PAT. It's recommended to use a token name indicating the PAT is used for modelcontextprotocol org agentic workflows. The **Description** is also only used for your own reference.
+
+Team members providing PATs for workflows should set weekly recurring reminders to regenerate and update their PATs in the repository secrets. With an 8-day expiration, renewal can be done on the same day each week.
+
+PATs are added to repositories through the **Settings > Secrets and variables > Actions** UI, saved as **Repository secrets** and matching the `<pool_name>_<0-9>` naming convention. This can also be done using the GitHub CLI.
+
+```sh
+gh aw secrets set "<pool_name>_<0-9>" --value "<your-github-pat>" --repo modelcontextprotocol/<repo>
+```
+
+## Workflow Output Attribution
+
+Team members' PATs are _only_ used for the Copilot requests from within the agentic portion of the workflow. All outputs from the workflow use the `github-actions[bot]` account token. Issues, PRs, comments, and all other content generated by the workflow will be attributed to `github-actions[bot]`--not the team member's account or token.
+
+## Usage
+
+Add the following frontmatter at the top-level of an agentic workflow. These elements are not supported through [imports][imports], so they must be copied into all workflows.
+
+Up to 10 `SECRET_#` environment variables can be passed to the action, numbered 0-9. Different workflows can use different pools of PATs if desired. Change the `secrets.COPILOT_PAT_0` through `secrets.COPILOT_PAT_9` secret names in both the `select-copilot-pat` step `env` values and in the `case` expression under the `engine: env` configuration.
+
+```yml
+on:
+  # Add the pre-activation step of selecting a random PAT from the supplied secrets
+  steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      name: Checkout the select-copilot-pat action folder
+      with:
+        persist-credentials: false
+        sparse-checkout: .github/actions/select-copilot-pat
+        sparse-checkout-cone-mode: true
+        fetch-depth: 1
+
+    - id: select-copilot-pat
+      name: Select Copilot token from pool
+      uses: ./.github/actions/select-copilot-pat
+      env:
+        # If the secret names are changed here, they must also be changed
+        # in the `engine: env` case expression
+        SECRET_0: ${{ secrets.COPILOT_PAT_0 }}
+        SECRET_1: ${{ secrets.COPILOT_PAT_1 }}
+        SECRET_2: ${{ secrets.COPILOT_PAT_2 }}
+        SECRET_3: ${{ secrets.COPILOT_PAT_3 }}
+        SECRET_4: ${{ secrets.COPILOT_PAT_4 }}
+        SECRET_5: ${{ secrets.COPILOT_PAT_5 }}
+        SECRET_6: ${{ secrets.COPILOT_PAT_6 }}
+        SECRET_7: ${{ secrets.COPILOT_PAT_7 }}
+        SECRET_8: ${{ secrets.COPILOT_PAT_8 }}
+        SECRET_9: ${{ secrets.COPILOT_PAT_9 }}
+
+# Add the pre-activation output of the randomly selected PAT
+jobs:
+  pre-activation:
+    outputs:
+      copilot_pat_number: ${{ steps.select-copilot-pat.outputs.copilot_pat_number }}
+
+# Override the COPILOT_GITHUB_TOKEN expression used in the activation job
+# Consume the PAT number from the pre-activation step and select the corresponding secret
+engine:
+  id: copilot
+  env:
+    # We cannot use line breaks in this expression as it leads to a syntax error in the compiled workflow
+    # If none of the `COPILOT_PAT_#` secrets were selected, then the default COPILOT_GITHUB_TOKEN is used
+    COPILOT_GITHUB_TOKEN: ${{ case(needs.pre_activation.outputs.copilot_pat_number == '0', secrets.COPILOT_PAT_0, needs.pre_activation.outputs.copilot_pat_number == '1', secrets.COPILOT_PAT_1, needs.pre_activation.outputs.copilot_pat_number == '2', secrets.COPILOT_PAT_2, needs.pre_activation.outputs.copilot_pat_number == '3', secrets.COPILOT_PAT_3, needs.pre_activation.outputs.copilot_pat_number == '4', secrets.COPILOT_PAT_4, needs.pre_activation.outputs.copilot_pat_number == '5', secrets.COPILOT_PAT_5, needs.pre_activation.outputs.copilot_pat_number == '6', secrets.COPILOT_PAT_6, needs.pre_activation.outputs.copilot_pat_number == '7', secrets.COPILOT_PAT_7, needs.pre_activation.outputs.copilot_pat_number == '8', secrets.COPILOT_PAT_8, needs.pre_activation.outputs.copilot_pat_number == '9', secrets.COPILOT_PAT_9, secrets.COPILOT_GITHUB_TOKEN) }}
+```
+
+## References
+
+- [Agentic Workflows CLI Extension][cli-setup]
+- [Agentic Authoring][configure-repo]
+- [Authentication][authentication]
+- [Agentic Workflow Imports][imports]
+- [Custom Steps][steps]
+- [Custom Jobs][jobs]
+- [Job Outputs][job-outputs]
+- [Engine Configuration][engine]
+- [Engine Environment Variables][engine-vars]
+- [Case Function in Workflow Expressions][case-expression]
+- [Update agentic engine token handling to use user-provided secrets (github/gh-aw#18017)][secret-override]
+
+[cli-setup]: https://github.github.com/gh-aw/setup/cli/
+[configure-repo]: https://github.github.com/gh-aw/guides/agentic-authoring/#configuring-your-repository
+[authentication]: https://github.github.com/gh-aw/reference/auth/
+[create-pat]: https://github.com/settings/personal-access-tokens/new?name=modelcontextprotocol%20org%20agentic%20workflows&description=GitHub+Agentic+Workflows+-+Copilot+engine+authentication.++Used+for+modelcontextprotocol+org+workflows.+MUST+be+configured+with+only+Copilot+Requests+permissions+and+user+account+as+resource+owner.+Weekly+expiration+and+required+renewal.&user_copilot_requests=read&expires_in=8
+[imports]: https://github.github.com/gh-aw/reference/imports/
+[steps]: https://github.github.com/gh-aw/reference/frontmatter/#custom-steps-steps
+[jobs]: https://github.github.com/gh-aw/reference/frontmatter/#custom-jobs-jobs
+[job-outputs]: https://github.github.com/gh-aw/reference/frontmatter/#job-outputs
+[engine]: https://github.github.com/gh-aw/reference/frontmatter/#ai-engine-engine
+[engine-vars]: https://github.github.com/gh-aw/reference/engines/#engine-environment-variables
+[case-expression]: https://docs.github.com/en/actions/reference/workflows-and-actions/expressions#case
+[secret-override]: https://github.com/github/gh-aw/pull/18017
@@ -0,0 +1,53 @@
+name: 'Select Copilot PAT from Pool'
+description: >
+  Selects a random Copilot PAT from a numbered pool of secrets. Secrets
+  are passed as environment variables SECRET_0 through SECRET_9
+  by the calling workflow step.
+
+inputs:
+  random-seed:
+    description: 'A seed number to use for the random PAT selection, for deterministic selection if needed.'
+    required: false
+    default: ''
+
+outputs:
+  copilot_pat_number:
+    description: 'The 0-9 secret number selected from the pool of specified secrets'
+    value: ${{ steps.select-pat-number.outputs.copilot_pat_number }}
+
+runs:
+  using: composite
+  steps:
+    - id: select-pat-number
+      shell: bash
+      env:
+        RANDOM_SEED: ${{ inputs.random-seed }}
+      run: |
+        # Collect all secret numbers with non-empty values from SECRET_0..SECRET_9
+        PAT_NUMBERS=()
+        for i in $(seq 0 9); do
+          var="SECRET_${i}"
+          val="${!var}"
+          if [ -n "$val" ]; then
+            PAT_NUMBERS+=(${i})
+          fi
+        done
+
+        # If none of the secrets in the pool have values, then emit a warning and do not
+        # set an output value. The consumer can then fall back to using COPILOT_GITHUB_TOKEN.
+        if [ ${#PAT_NUMBERS[@]} -eq 0 ]; then
+          echo "::warning::None of the specified secrets had values (checked SECRET_0 through SECRET_9)"
+          exit 0
+        fi
+
+        # Select a random index using the seed if specified
+        if [ -n "$RANDOM_SEED" ]; then
+          RANDOM=$RANDOM_SEED
+        fi
+
+        PAT_INDEX=$(( RANDOM % ${#PAT_NUMBERS[@]} ))
+        PAT_NUMBER="${PAT_NUMBERS[$PAT_INDEX]}"
+        echo "Selected token ${PAT_NUMBER} (index: ${PAT_INDEX}; pool size: ${#PAT_NUMBERS[@]})"
+
+        # Set the PAT number as the output
+        echo "copilot_pat_number=${PAT_NUMBER}" >> "$GITHUB_OUTPUT"