github · Copilot · Jun 9, 2026
diff --git a/pkg/constants/engine_constants.go b/pkg/constants/engine_constants.go
@@ -260,8 +260,14 @@ const (
 	CopilotCLIIntegrationIDEnvVar = "GITHUB_COPILOT_INTEGRATION_ID"
 
 	// CopilotCLIIntegrationIDValue is the value of the integration ID for agentic workflows.
+	// Used when authenticating with the GitHub Actions token (permissions.copilot-requests: write).
 	CopilotCLIIntegrationIDValue = "agentic-workflows"
 
+	// CopilotCLIIntegrationIDUserPATValue is the copilot-sdk integration ID used when
+	// authenticating with a user PAT (COPILOT_GITHUB_TOKEN secret) instead of the
+	// GitHub Actions token. This matches the integration ID expected by the Copilot SDK.
+	CopilotCLIIntegrationIDUserPATValue = "copilot-cli"
+
 	// CopilotSDKURIEnvVar is the environment variable name for the Copilot SDK URI.
 	// When copilot-sdk: true is set, this env var holds the HTTP endpoint URI
 	// where the harness-managed Copilot CLI sidecar listens for SDK connections

diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go
@@ -648,9 +648,16 @@ touch %s
 		copilotExecLog.Printf("Added %d custom env vars from agent config", len(agentConfig.Env))
 	}
 
-	// Always inject the Copilot integration ID for agentic workflows after all env merges
-	// so user-supplied env does not override this value.
-	env[constants.CopilotCLIIntegrationIDEnvVar] = constants.CopilotCLIIntegrationIDValue
+	// Always inject the Copilot integration ID after all env merges so user-supplied env
+	// does not override this value. When authenticating with a user PAT
+	// (COPILOT_GITHUB_TOKEN secret, i.e. not BYOK mode and not copilot-requests: write),
+	// use the copilot-sdk integration ID ("copilot-cli"). In all other cases (GitHub
+	// Actions token via copilot-requests: write) use the agentic-workflows ID.
+	integrationIDValue := constants.CopilotCLIIntegrationIDValue
+	if !isBYOKMode && !useCopilotRequests {
+		integrationIDValue = constants.CopilotCLIIntegrationIDUserPATValue
+	}
+	env[constants.CopilotCLIIntegrationIDEnvVar] = integrationIDValue
 
 	// Inject the dummy BYOK sentinel and AWF_REFLECT_ENABLED only when the AWF sandbox
 	// is active. The COPILOT_API_KEY (set to this value) triggers AWF's runtime BYOK

diff --git a/pkg/workflow/copilot_engine_test.go b/pkg/workflow/copilot_engine_test.go
@@ -164,8 +164,8 @@ func TestCopilotEngineExecutionSteps(t *testing.T) {
 		t.Errorf("Expected COPILOT_GITHUB_TOKEN environment variable in step content:\n%s", stepContent)
 	}
 
-	if !strings.Contains(stepContent, constants.CopilotCLIIntegrationIDEnvVar+": "+constants.CopilotCLIIntegrationIDValue) {
-		t.Errorf("Expected %s environment variable in step content:\n%s", constants.CopilotCLIIntegrationIDEnvVar, stepContent)
+	if !strings.Contains(stepContent, constants.CopilotCLIIntegrationIDEnvVar+": "+constants.CopilotCLIIntegrationIDUserPATValue) {
+		t.Errorf("Expected %s=%s (user PAT mode) in step content:\n%s", constants.CopilotCLIIntegrationIDEnvVar, constants.CopilotCLIIntegrationIDUserPATValue, stepContent)
 	}
 
 	// Test that GITHUB_HEAD_REF and GITHUB_REF_NAME are present for branch resolution
@@ -592,10 +592,11 @@ func TestCopilotEngineExecutionStepsAlwaysInjectsIntegrationIDAfterEnvMerges(t *
 		t.Fatalf("Expected 1 execution step, got %d", len(steps))
 	}
 
+	// No copilot-requests: write permission → user PAT mode → expects copilot-cli
 	stepContent := strings.Join([]string(steps[0]), "\n")
-	expected := constants.CopilotCLIIntegrationIDEnvVar + ": " + constants.CopilotCLIIntegrationIDValue
+	expected := constants.CopilotCLIIntegrationIDEnvVar + ": " + constants.CopilotCLIIntegrationIDUserPATValue
 	if !strings.Contains(stepContent, expected) {
-		t.Fatalf("Expected integration ID env to be forced to %q, got:\n%s", expected, stepContent)
+		t.Fatalf("Expected integration ID env to be forced to %q (user PAT mode), got:\n%s", expected, stepContent)
 	}
 	if strings.Contains(stepContent, constants.CopilotCLIIntegrationIDEnvVar+": override-from-agent") {
 		t.Fatalf("Expected agent override to be ignored for %s, got:\n%s", constants.CopilotCLIIntegrationIDEnvVar, stepContent)
@@ -605,6 +606,29 @@ func TestCopilotEngineExecutionStepsAlwaysInjectsIntegrationIDAfterEnvMerges(t *
 	}
 }
 
+func TestCopilotEngineExecutionStepsWithCopilotRequestsUsesAgenticWorkflowsIntegrationID(t *testing.T) {
+	engine := NewCopilotEngine()
+	workflowData := &WorkflowData{
+		Name:        "test-workflow",
+		Permissions: "permissions:\n  copilot-requests: write",
+	}
+
+	steps := engine.GetExecutionSteps(workflowData, "/tmp/gh-aw/test.log")
+	if len(steps) != 1 {
+		t.Fatalf("Expected 1 execution step, got %d", len(steps))
+	}
+
+	// copilot-requests: write → GitHub Actions token mode → expects agentic-workflows
+	stepContent := strings.Join([]string(steps[0]), "\n")
+	expected := constants.CopilotCLIIntegrationIDEnvVar + ": " + constants.CopilotCLIIntegrationIDValue
+	if !strings.Contains(stepContent, expected) {
+		t.Fatalf("Expected integration ID env to be %q when using copilot-requests:write, got:\n%s", expected, stepContent)
+	}
+	if strings.Contains(stepContent, constants.CopilotCLIIntegrationIDEnvVar+": "+constants.CopilotCLIIntegrationIDUserPATValue) {
+		t.Fatalf("Expected copilot-cli integration ID NOT to be used with copilot-requests:write, got:\n%s", stepContent)
+	}
+}
+
 func TestCopilotEngineGetLogParserScript(t *testing.T) {
 	engine := NewCopilotEngine()
 	script := engine.GetLogParserScriptId()

diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden
@@ -518,7 +518,7 @@ jobs:
           GH_AW_VERSION: dev
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
-          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
+          GITHUB_COPILOT_INTEGRATION_ID: copilot-cli
           GITHUB_HEAD_REF: ${{ github.head_ref }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -518,7 +518,7 @@ jobs:
           GH_AW_VERSION: dev
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
-          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
+          GITHUB_COPILOT_INTEGRATION_ID: copilot-cli
           GITHUB_HEAD_REF: ${{ github.head_ref }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden
@@ -538,7 +538,7 @@ jobs:
           GH_AW_VERSION: dev
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
-          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
+          GITHUB_COPILOT_INTEGRATION_ID: copilot-cli
           GITHUB_HEAD_REF: ${{ github.head_ref }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden
@@ -774,7 +774,7 @@ jobs:
           GH_AW_VERSION: dev
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
-          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
+          GITHUB_COPILOT_INTEGRATION_ID: copilot-cli
           GITHUB_HEAD_REF: ${{ github.head_ref }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -519,7 +519,7 @@ jobs:
           GH_AW_VERSION: dev
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
-          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
+          GITHUB_COPILOT_INTEGRATION_ID: copilot-cli
           GITHUB_HEAD_REF: ${{ github.head_ref }}
           GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           GITHUB_REF_NAME: ${{ github.ref_name }}