GitHub Agentic Workflows | GITHUB_TOKEN replaces PATs
GitHub Agentic Workflows can now use the built-in GITHUB_TOKEN for Copilot inference instead of requiring a personal access token. Announced on June 11, 2026, the change reduces the need to create, store, rotate, and protect long-lived personal credentials when running agentic automation in supported organization-owned repositories.
Agentic workflows gain simpler Copilot authentication
Agentic workflows previously required a personal access token to authenticate Copilot CLI requests. That token had to be created under a user account and stored as a GitHub Actions repository secret, introducing an additional credential that teams needed to maintain.
The new authentication option uses a token created automatically for each GitHub Actions run. These tokens are short-lived and revoked after use, reducing the operational and security risks associated with keeping a personal credential available to recurring automation.
How to enable GITHUB_TOKEN for Copilot requests
For an agentic workflow in an organization-owned repository, administrators must enable the Allow use of Copilot CLI billed to the organization policy. GitHub enables this automatically when the existing Copilot CLI policy is already active.
The workflow must then include copilot-requests: write in the permissions section of its Markdown frontmatter. After changing the configuration, the workflow needs to be compiled again and its updated lockfile pushed to the repository.
Organization billing replaces personal usage attribution
When the built-in Actions token is used in an organization-owned repository, the AI credits consumed by the workflow are billed directly to the organization. The usage is no longer attributed to the personal Copilot quota of the developer who created a PAT.
User-level inference budgets are therefore not applied to this billing method. Organizations can instead use cost centers and the cost-management controls included with GitHub Agentic Workflows to attribute spending, monitor usage, and limit token consumption for individual workflow runs.
Some operations may still require extra authentication
The new permission replaces the PAT used for Copilot inference, but it does not automatically provide unlimited access to other GitHub resources. Operations involving multiple repositories, GitHub Projects, remote GitHub tools, or certain custom MCP tools may still require a PAT or GitHub App.
Additional credentials may also be needed when safe outputs write across repositories, assign Copilot agents, update projects, or trigger CI on pull requests. Personal repositories and organizations without centralized Copilot billing can continue using a fine-grained PAT through COPILOT_GITHUB_TOKEN.
IMPORTANT: Update to the latest Agentic Workflows CLI withgh extension upgrade awbefore enabling this authentication method. Confirm the organization policy, addcopilot-requests: write, and compile the workflow again before removing an existing PAT secret.{alertWarning}
Daisuki's Take: What This Means for Web Designers
For web designers and frontend teams experimenting with agentic automation, the main benefit is reduced credential maintenance. Scheduled accessibility checks, issue triage, documentation updates, and repository maintenance can use Copilot without depending on a personal token owned by one team member.
We think the move toward temporary, workflow-specific credentials makes agentic automation easier to manage as a shared project capability. It also reduces the chance that an automation stops because a personal token expired, was revoked, or belonged to someone who left the project.
The practical takeaway is to review permissions before removing existing secrets. The built-in token is a better option for Copilot inference when organization billing is available, but workflows that operate across repositories or perform broader GitHub actions may still need carefully scoped additional authentication.
Sources and Recommended Links
- Agentic workflows no longer need a personal access token | GitHub Changelog
- Agentic Workflows authentication | GitHub Official Documentation