Skip to content

Fix Copilot CLI --secret-env-vars to expose the real token env vars#1569

Closed
priyanshu92 wants to merge 1 commit intomainfrom
users/priyanshuag/dependabot-autofix-secret-env-fix
Closed

Fix Copilot CLI --secret-env-vars to expose the real token env vars#1569
priyanshu92 wants to merge 1 commit intomainfrom
users/priyanshuag/dependabot-autofix-secret-env-fix

Conversation

@priyanshu92
Copy link
Copy Markdown
Contributor

@priyanshu92 priyanshu92 commented Apr 27, 2026

Problem

In PR #1568 the agent fell back to npm audit instead of the Dependabot REST API, and its PR body explicitly says:

"COPILOT_GITHUB_TOKEN was not available in this environment, so npm audit was used as the vulnerability source of truth"

Root cause

In .github/workflows/dependabot-autofix.yml:

  • The step env exposes the secret as COPILOT_GITHUB_TOKEN (line 97) and GH_TOKEN (line 100).
  • But --secret-env-vars was set to COPILOT_CLI_PAT, which is the secret name, not the env var name.

--secret-env-vars controls which env vars from the parent process get forwarded to Copilot CLIs tool sub-shells (and redacted from logs). Because neither real env var was listed, none reached the agents shells, so the gh api repos/.../dependabot/alerts call from rule 1 of the prompt failed and the agent fell back to npm audit.

Fix

Pass the actual env var names:

- --secret-env-vars COPILOT_CLI_PAT \
+ --secret-env-vars COPILOT_GITHUB_TOKEN,GH_TOKEN \

Test plan

After merge, trigger via workflow_dispatch and confirm:

  • The agent reads alerts via gh api .../dependabot/alerts and writes alerts.json (rule 1 of the prompt).
  • The PR body no longer contains the npm audit fallback disclaimer.

@priyanshu92
Fix Copilot CLI --secret-env-vars to expose the real env var names
2252fde 
The workflow exports the secret to the step env as COPILOT_GITHUB_TOKEN
(line 97) and GH_TOKEN (line 100), but `--secret-env-vars` was set to
`COPILOT_CLI_PAT` — which is the *secret* name, not the env var name.
As a result, neither token was forwarded to the Copilot CLI sub-shells.

Observed effect on PR #1568:
- The agent could not call `gh api .../dependabot/alerts` (rule 1 of
  the prompt), so it fell back to `npm audit` as the source of truth.
- The PR body explicitly says: "COPILOT_GITHUB_TOKEN was not available
  in this environment, so npm audit was used as the vulnerability
  source of truth".

Fix: pass the actual env var names (`COPILOT_GITHUB_TOKEN,GH_TOKEN`) to
`--secret-env-vars` so they are exposed to tool invocations and
redacted from logs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@priyanshu92 priyanshu92 requested review from a team as code owners April 27, 2026 08:03
@priyanshu92
Copy link
Copy Markdown
Contributor Author

priyanshu92 commented Apr 27, 2026

Closing — on closer reading of the docs, --secret-env-vars only controls log redaction (and COPILOT_GITHUB_TOKEN is redacted by default). This change is a no-op for the actual failure. Will open a corrected fix.

@priyanshu92 priyanshu92 deleted the users/priyanshuag/dependabot-autofix-secret-env-fix branch April 27, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@priyanshu92