User access to GitHub Copilot

This Workflow automatically sets up developers with access to GitHub Copilot.

In this example, approval from a specific team is required. Depending on your organization's requirements, you may want to configure a User input block instead, effectively allowing users to self-serve access to GitHub Copilot without needing approval from a specific team.

Prerequisites

Before getting started:

Before calling the GitHub API endpoint in the Async HTTP request block, your organization must already be on Copilot Business or Enterprise and have seat management policies configured.
You must create a secret in Cortex.
- In this example, the secret in Cortex must be named GITHUB_COPILOT_TOKEN.

Step 1: Start creating the Workflow

Follow the steps in the documentation to create a Workflow and configure its basic settings.

Note that Cortex has a pre-built template for this Workflow that contains the Async HTTP request block. The example on this page includes an additional Manual approval block that allows you to designate an approving team. Also in this example, the payload of the Async HTTP block includes approver": "{{actions.manual-approval.outputs.actor}}, which references the output of the Manual approval block. This reference is not included in the pre-built Workflow template.

Step 2: Add blocks to the Workflow

The instructions on this page describe how to create this Workflow in the Cortex UI, but it is also possible to copy the Workflow YAML and add it to your workspace via the Cortex CLI. This allows you to quickly set up the example configuration then iterate on it for your own use case. Expand the tile below to learn more.

Workflow YAML instructions

To upload the Workflow example YAML into your workspace:

Save the Workflow example YAML file below:

name: Approve access to GitHub Copilot
tag: copilot-access
description: "Get approval from the Platform team, then provision a seat in Copilot\
  \ for the user who initiates the Workflow run."
isDraft: true
filter:
  type: GLOBAL
runResponseTemplate: "Successfully provisioned GitHub Copilot for {{context.initiatedBy.email}}"
failedRunResponseTemplate: "Failed to add a seat to GitHub Copilot for {{context.initiatedBy.email}}"
restrictActionCompletionToRunnerUser: false
actions:
- name: Manual approval
  slug: manual-approval
  schema:
    approvingTeamIds:
    - en319eca313083ac36
    approverDescription: null
    type: MANUAL_APPROVAL
  outgoingActions:
  - asynchronous-http-request
  isRootAction: true
- name: Asynchronous HTTP request
  slug: asynchronous-http-request
  schema:
    headers:
      Authorization: "Bearer {{ context.secrets.GITHUB_COPILOT_TOKEN }}"
    httpMethod: POST
    payload: |-
      {
      "inputs": {"email": "{{context.initiatedBy.email}}", "approver": "{{actions.manual-approval.outputs.actor}}", "callback": "{{callbackUrl}}", "github_user": "{{context.initiatedBy.identityMappings.github}}"  },
      "ref": "main"
      }
    url: https://api.github.com/orgs/cortexapps/copilot/billing/selected_users
    timeoutInSeconds: null
    type: HTTP_REQUEST_ASYNC
  outgoingActions: []
  isRootAction: false
runRestrictionPolicies: []
iconTag: null
variables: []

Use the Cortex CLI to run this command, using the path to your Workflow YAML file: cortex workflows create -f <path-to-your-workflow.yaml>

Expand the tiles below to learn about each block in this Workflow and how to configure them in the Cortex UI:

Manual approval

In this block, you select which team has to give approval for the user to access GitHub Copilot.

Click + in the center of the page. In the block library modal, choose Manual approval.
In the block configuration side panel, enter a name and unique slug for this block.
- In this example, we use the name Manual approval and the slug manual-approval.
Under Teams allowed to approve, select the teams authorized to approve access to GitHub Copilot.
Save the block.

Async HTTP request

This block looks at the initiating user's identity mapping in Cortex for GitHub, then calls the GitHub API to grant access to Copilot for that user.

Click + in the center of the page. In the block library modal, choose Async HTTP request.
In the block configuration side panel, enter a name and unique slug for this block.
- In this example, we use the name Grant access to Copilot and the slug copilot-access.
Configure the block:
- HTTP method: POST
- URL: Enter a URL for the request.
  - In this example, we call the GitHub endpoint that adds users to your org's Copilot subscription: https://api.github.com/orgs/<your-org>/copilot/billing/selected_users
- Headers: Authorization: Bearer {{ context.secrets.GITHUB_COPILOT_TOKEN }}
  - The token you configure must have permissions to manage Copilot seats.
  - In this example, the secret in Cortex must be named GITHUB_COPILOT_TOKEN.
- Payload:

{
"inputs": {"email": "{{context.initiatedBy.email}}", "approver": "{{actions.manual-approval.outputs.actor}}", "callback": "{{callbackUrl}}", "github_user": "{{context.initiatedBy.identityMappings.github}}"  },
"ref": "main"
}

Save the block.

Step 3: Run the Workflow

When you run the Workflow, the following events happen:

The Workflow pauses to collect a response from a member of one of the teams specified during the Manual approval block.
After a user gives their approval, the Async HTTP request block runs. It uses the initiator of the Workflow as the GitHub user, then makes a call to the GitHub API to provision access to Copilot for that user.

Last updated 6 hours ago

Was this helpful?