Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Read [`pull_request_target`](/actions/reference/workflows-and-actions/events-tha

## The risks of the pull_request_target event

Workflows triggered by `pull_request_target` run with elevated trust: the job receives the base repository's `GITHUB_TOKEN`, access to repository and organization secrets, and write access to the default-branch cache. This is the same trust given to events like `push` that only collaborators can trigger, and it is what makes `pull_request_target` useful for automation that responds to pull requests from forks, such as labeling, triage, or for posting authenticated status checks.
Workflows triggered by `pull_request_target` run with elevated trust: the job receives the base repository's `GITHUB_TOKEN` and access to repository and organization secrets. This is the same trust given to events like `push` that only collaborators can trigger, and it is what makes `pull_request_target` useful for automation that responds to pull requests from forks, such as labeling, triage, or for posting authenticated status checks.

To understand why this is safe by default, and how that safety is commonly broken, review `pull_request_target` against [`pull_request`](/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request).

Expand Down Expand Up @@ -67,7 +67,7 @@ If you have confirmed you need `pull_request_target`, apply these controls to li

* **Restrict secrets.** Confirm that the permissions set on the `GITHUB_TOKEN` have the least privileges and that only the necessary repository and organization secrets are used for the workflow. For more information, see [AUTOTITLE](/actions/tutorials/authenticate-with-github_token#modifying-the-permissions-for-the-github_token).

* **Understand the impact to caching.** Outside of the `GITHUB_TOKEN` and configured secrets, workflows that run on `pull_request_target` also have write access to the cache shared with other workflows on the default branch. Malicious changes to this cache from `pull_request_target` events could impact the execution of other, unrelated, workflows.
* **Understand the impact to caching.** To reduce the risk of cache poisoning, workflows triggered by `pull_request_target` have read-only access to the cache in the default branch's scope. These workflows can restore existing cache entries but cannot create or overwrite them, so they cannot affect the execution of other, unrelated, workflows through the shared cache. If such a workflow attempts to save a cache, the save fails but the step and the job continue, and the failure is reported as a warning in the workflow log. If your workflow needs to populate the cache, save it from a workflow that runs on a trusted trigger such as `push`. For more information, see [AUTOTITLE](/actions/reference/workflows-and-actions/dependency-caching#cache-access-for-low-trust-workflow-triggers).

* **Ensure the underlying compute is isolated and ephemeral.** If self-hosted runners are used, you must confirm that the runner environment is properly restricted from internal resources and is not reused across {% data variables.product.prodname_actions %} runs. For more information, see [AUTOTITLE](/actions/reference/security/secure-use#hardening-for-self-hosted-runners).

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ The session mode controls how much autonomy the agent has. You can set the mode

You can select a model and reasoning effort from the dropdowns above the prompt field. Higher reasoning effort gives the agent more time to think through complex problems but may take longer. You can change both settings at any time during a session.

If you configured your own model provider in the app using bring your own key (BYOK), those models also appear in the picker. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).
If you configured your own model provider in the app, those models also appear in the picker. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).

Hover over the {% octicon "info" aria-label="the info icon" %} icon in the model picker to see model details.

Expand Down
9 changes: 6 additions & 3 deletions content/copilot/how-tos/github-copilot-app/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ For a conceptual overview of the {% data variables.copilot.github_copilot_app %}
## Prerequisites

* [Git](https://github.com/git-guides/install-git) installed on your computer.
* A paid {% data variables.product.prodname_copilot_short %} plan.
* A {% data variables.product.github %} account.
* A {% data variables.product.prodname_copilot_short %} plan. Alternatively, if using your own model provider, you will need required credentials such as an API key. For more information, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/use-byok-models).
* If you use {% data variables.copilot.copilot_business_short %} or {% data variables.copilot.copilot_enterprise_short %}, your plan administrator must enable the **{% data variables.copilot.copilot_cli_short %}** policy. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-policies) or [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/manage-enterprise-policies).

## Installing the {% data variables.copilot.github_copilot_app %}
Expand All @@ -31,8 +32,10 @@ For a conceptual overview of the {% data variables.copilot.github_copilot_app %}

1. Open the {% data variables.copilot.github_copilot_app %}.
1. Click **Sign in to {% data variables.product.github %}** and follow the prompts to authenticate. If you use {% data variables.product.prodname_ghe_server %}, choose **Use GitHub Enterprise** and enter your server address when prompted.
1. The app walks you through onboarding. When prompted, select one or more repositories based on your recent {% data variables.product.github %} activity, or choose a sample project. You can also skip this step and add repositories later.
1. Choose a theme, then complete onboarding.
1. If you do not have a {% data variables.product.prodname_copilot_short %} plan, choose whether to sign up for a plan or continue with your own model provider.
* If you choose to use your own model provider, select a provider, enter any required credentials, then click **Save and continue**.
1. When prompted, select one or more repositories based on your recent {% data variables.product.github %} activity. You can also add a local repository, or skip this step and add repositories later.
1. Choose a theme, then complete onboarding to open the app.

## Connecting a repository

Expand Down
17 changes: 11 additions & 6 deletions content/copilot/how-tos/github-copilot-app/use-byok-models.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,14 @@ category:
---

> [!NOTE]
> Support to use your own provider (BYOK) in the {% data variables.copilot.github_copilot_app %} is in {% data variables.release-phases.public_preview %} and subject to change.
> Support to use your own model provider in the {% data variables.copilot.github_copilot_app %} is in {% data variables.release-phases.public_preview %} and subject to change.

You can configure the {% data variables.copilot.github_copilot_app %} to use your own LLM provider, also called BYOK (Bring Your Own Key), instead of {% data variables.product.github %}-hosted models.
You can configure the {% data variables.copilot.github_copilot_app %} to use your own LLM provider, also called BYOK (Bring Your Own Key), instead of {% data variables.product.github %}-hosted models. You can set up your model provider when you first open the app or later in app settings.

You must sign in with a {% data variables.product.github %} account to use the app, but you do not need a {% data variables.product.prodname_copilot_short %} plan if you use your own model provider. If you do have a {% data variables.product.prodname_copilot_short %} plan, you can use both your own model provider and {% data variables.product.github %}-hosted models in the same app.

> [!NOTE]
> This article is for users who want to configure their own LLM provider API key on their local machine. To set up custom models for users in an organization or enterprise, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/use-your-own-api-keys) and [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).
> This article is for users who want to configure their own LLM provider settings on their local machine. To set up custom models for users in an organization or enterprise, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/use-your-own-api-keys) and [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-enterprise/use-your-own-api-keys).

## Supported providers

Expand All @@ -36,9 +38,12 @@ You can configure the {% data variables.copilot.github_copilot_app %} to use you
## Prerequisites

* The {% data variables.copilot.github_copilot_app %} is installed. For setup steps, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/getting-started).
* You have an API key for your model provider.
* You have any required credentials, such as API key, for your model provider.
## Set up a model provider

If you are setting up the app for the first time and do not have a {% data variables.product.prodname_copilot_short %} plan, you can choose to set up your own model provider during onboarding.

## Add a model provider
To add or update a model provider later:

1. Open the {% data variables.copilot.github_copilot_app %}.
1. Open app settings, then click **Model providers**.
Expand All @@ -49,4 +54,4 @@ You can configure the {% data variables.copilot.github_copilot_app %} to use you

After you add a provider, its models appear in the model picker alongside {% data variables.product.github %}-hosted models. You can select the model and use it in a session. For more information, see [AUTOTITLE](/copilot/how-tos/github-copilot-app/agent-sessions).

Keys are stored in the system credential store and are never displayed in the UI.
Provider credentials are stored in the system credential store and are never displayed in the UI.
2 changes: 1 addition & 1 deletion data/reusables/gated-features/github-app.md
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{% data variables.copilot.github_copilot_app %} is available for all paid {% data variables.product.prodname_copilot_short %} plans.
{% data variables.copilot.github_copilot_app %} is available for all {% data variables.product.prodname_copilot_short %} plans.
Loading