Skip to main content

Configuring your Copilot agent to communicate with GitHub

Learn how to verify payloads and get resources from GitHub with your Copilot agent.

Note

GitHub Copilot Extensions is in public preview and subject to change.

Prerequisites

Before you configure your Copilot agent to communicate with GitHub, you should understand how your Copilot agent communicates with the Copilot platform. See Configuring your Copilot agent to communicate with the Copilot platform.

Verifying that payloads are coming from GitHub

Before your Copilot agent begins processing a request, you should verify that the request came from GitHub, and that it is intended for your agent. All agent requests contain the Github-Public-Key-Identifier and Github-Public-Key-Signature headers. To verify the signature for a particular request, compare the signature in the Github-Public-Key-Signature header with a signed copy of the request body using the current public key listed at https://api.github.com/meta/public_keys/copilot_api.

For more details and examples of signature verification in specific languages, see the github-technology-partners/signature-verification repository.

Fetching resources from the GitHub API

Requests to your Copilot agent will receive an X-Github-Token header. This header contains an API token that can be used to fetch resources from the GitHub API on behalf of the user interacting with your agent. The permissions of this token are the overlap of the user's own permissions and the permissions granted to your GitHub App installation.

For an example of how you might use X-Github-Token, see the following code sample:

async function whoami(req) {
  const response = await fetch(
    // The GitHub API endpoint for the authenticated user
    "https://api.github.com/user",
    {
      headers: {
        "Authorization": `Bearer ${req.headers.get("x-github-token")}`
      }
    }
  )

  const user = await response.json()
  return user
}

To learn more about working with GitHub's API and explore official software development kits (SDKs), see the octokit organization.