github · pelikhan · Jun 11, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 11, 2026
diff --git a/.github/aw/create-agentic-workflow.md b/.github/aw/create-agentic-workflow.md
@@ -89,6 +89,7 @@ The main agent job must stay read-only.
 
 - Do not grant `issues: write`, `pull-requests: write`, or `contents: write` to the agent job.
 - Route GitHub writes through `safe-outputs:`.
+- When targeting the Copilot coding agent, recommend `permissions: { copilot-requests: write }` so Copilot can authenticate with `${{ github.token }}`.
 - If the user asks for direct writes, explain why the safe-output pattern is required.
 
 ### 4. Select tools

diff --git a/.github/aw/syntax-core.md b/.github/aw/syntax-core.md
@@ -99,10 +99,10 @@ The YAML frontmatter supports these fields:
     - When `"full"`, checks both the frontmatter hash and body hash; use when prompt-body edits should also trigger recompilation detection
 
 - **`permissions:`** - GitHub token permissions
-  - Object with permission levels: `read`, `none`
-  - Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`
+  - Object with permission levels: `read`, `none` (and limited `write` for specific scopes)
+  - Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events`, `copilot-requests`
   - Write permissions are not allowed for security reasons; use `safe-outputs` for write operations instead
-  - Exception: `id-token: write` is allowed to enable OIDC token minting for external authentication, but use with caution and follow security best practices
+  - Exceptions: `id-token: write` is allowed to enable OIDC token minting; `copilot-requests: write` is recommended when targeting the Copilot coding agent so it can authenticate with `${{ github.token }}`
 - **`runs-on:`** - Runner type for the main agent job (string, array, or object)
 - **`runs-on-slim:`** - Runner type for all framework/generated jobs (activation, safe-outputs, unlock, etc.). Defaults to `ubuntu-slim`. `safe-outputs.runs-on` takes precedence for safe-output jobs specifically.
 - **`timeout-minutes:`** - Agent execution step timeout in minutes (integer or GitHub Actions expression, defaults to 20 minutes; custom and safe-output jobs use the GitHub Actions platform default of 360 minutes unless explicitly set). Expressions are useful in compiled workflows that define `workflow_call` inputs, for example `timeout-minutes: ${{ inputs.timeout }}`. This setting applies to the workflow being compiled, not to plain GitHub Actions caller jobs that use job-level `uses:` (GitHub does not allow `timeout-minutes` on those caller jobs).

diff --git a/.github/aw/update-agentic-workflow.md b/.github/aw/update-agentic-workflow.md
@@ -45,6 +45,7 @@ Use [workflow-editing.md](workflow-editing.md) as the source of truth.
 - preserve existing style and structure unless reorganization is required
 - do not rewrite unrelated frontmatter sections
 - keep the agent job read-only
+- when targeting the Copilot coding agent, recommend `permissions: { copilot-requests: write }` for Copilot authentication
 - use `safe-outputs:` for writes
 - prefer `toolsets:` for GitHub tools