Secrets Management

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Secure management of GitHub secrets for MCP servers and CI/CD workflows.

GitHub Secrets Configuration

Repository Secrets

# Settings → Secrets and variables → Actions → Repository secrets

COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN
  - Description: GitHub PAT for MCP server with Insiders API
  - Scopes: repo, read:org, read:user
  - Expiration: 90 days (renewal required)

Environment Secrets

# Settings → Environments → copilot → Environment secrets

COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN
  - Description: GitHub PAT for Copilot environment
  - Injected via: COPILOT_AGENT_INJECTED_SECRET_NAMES

Secret Usage in Workflows

MCP Configuration

// .github/copilot-mcp.json
{
  "mcpServers": {
    "github": {
      "env": {
        "GITHUB_TOKEN": "${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}",
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}"
      }
    }
  }
}

Workflow Usage

# .github/workflows/copilot-setup-steps.yml
env:
  GITHUB_TOKEN: ${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}
  GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN }}

Security Best Practices

• ✅ Never commit secrets to repository
• ✅ Use GitHub secret scanning
• ✅ Rotate secrets every 90 days
• ✅ Minimal scope (least privilege)
• ✅ Environment-specific secrets
• ✅ Audit secret access logs

References

• GitHub Secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
• Secret Scanning: https://docs.github.com/en/code-security/secret-scanning
• SECURITY.md: Security policy