More flexible secrets and variables for Copilot cloud agent [2026-05-06] (#60993)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables.md

@@ -0,0 +1,83 @@
+---
+title: Configure secrets and variables for Copilot cloud agent
+shortTitle: Configure secrets and variables
+intro: 'Securely pass secrets and variables to {% data variables.copilot.copilot_cloud_agent %} so it can access private resources and configure MCP servers.'
+versions:
+  feature: copilot
+contentType: how-tos
+category:
+  - Configure Copilot
+---
+
+## About secrets and variables for {% data variables.copilot.copilot_cloud_agent %}
+
+When you delegate a task to {% data variables.copilot.copilot_cloud_agent %}, it works in its own ephemeral development environment, powered by {% data variables.product.prodname_actions %}. You may want to pass secrets and variables to the agent to:
+
+* Give {% data variables.product.prodname_copilot_short %} access to private resources, such as internal package registries, when it builds, tests, or validates your code in the agent's environment.
+* Configure MCP servers, by passing API keys, tokens, or other configuration to the servers. For more information, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/extend-cloud-agent-with-mcp).
+* Set environment variables that are available to scripts and tools that {% data variables.product.prodname_copilot_short %} runs in its environment, including in `copilot-setup-steps.yml`. For more information, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-environment).
+
+{% data variables.copilot.copilot_cloud_agent %} has its own dedicated **Agents** secrets and variables, alongside the existing **Actions**, **Codespaces**, and **Dependabot** types. You can configure Agents secrets and variables at:
+
+* The **organization level**, so a single secret or variable can be shared across any or all repositories in your organization.
+* The **repository level**, for configuration that only applies to a single repository.
+
+Variables and secrets that you configure are exposed to {% data variables.product.prodname_copilot_short %} as environment variables, except secrets and variables prefixed with `COPILOT_MCP_`, which are only available to MCP servers.
+
+> [!NOTE]
+> If you previously configured secrets or variables in the `copilot` environment in a repository's {% data variables.product.prodname_actions %} settings, those secrets and variables have been automatically migrated to the new repository-level **Agents** type. You don't need to take any action, and you can manage them from the new location going forward.
+
+## Configuring repository-level secrets and variables
+
+You must be a repository administrator to configure Agents secrets and variables for a repository.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+1. In the "Security" section of the sidebar, click **Secrets and variables**, then click **Agents**.
+1. To add a secret, click the **Secrets** tab, then click **New repository secret**. To add a variable, click the **Variables** tab, then click **New repository variable**.
+1. Fill in the "Name" and "Value" (or "Secret") fields, and then click **Add secret** or **Add variable**.
+
+## Configuring organization-level secrets and variables
+
+You must be an organization owner to configure Agents secrets and variables for an organization.
+
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.org_settings %}
+1. In the "Security" section of the sidebar, click **Secrets and variables**, then click **Agents**.
+1. To add a secret, click the **Secrets** tab, then click **New organization secret**. To add a variable, click the **Variables** tab, then click **New organization variable**.
+1. Fill in the "Name" and "Value" (or "Secret") fields.
+1. Under "Repository access", choose which repositories in your organization can access the secret or variable:
+
+   * **All repositories**: any repository in the organization can access the secret or variable.
+   * **Private repositories**: any private or internal repository in the organization can access the secret or variable.
+   * **Selected repositories**: only the repositories you specify can access the secret or variable.
+
+1. Click **Add secret** or **Add variable**.
+
+## Using secrets and variables
+
+Once configured, Agents secrets and variables are automatically available to {% data variables.copilot.copilot_cloud_agent %} when it works on a task in the repository. They are exposed to the agent as environment variables in its development environment, so they can be used by scripts and tools that {% data variables.product.prodname_copilot_short %} runs, including by your `copilot-setup-steps.yml` workflow.
+
+Secret values are masked in {% data variables.copilot.copilot_cloud_agent %} session logs.
+
+> [!NOTE]
+> {% data variables.copilot.copilot_cloud_agent %} does not have access to {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, or {% data variables.product.prodname_dependabot %} secrets and variables. Only Agents secrets and variables are passed to the agent.
+
+## Naming requirements for secrets and variables
+
+Names must:
+
+* Only contain alphanumeric characters (`[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
+* Not start with the `GITHUB_` prefix.
+* Not start with a number.
+
+Names are case-insensitive. Lowercase letters are converted to uppercase. Names must be unique at the level at which they are created.
+
+If a variable or secret with the same name exists at multiple levels, the value at the lowest level takes precedence. For example, a repository-level secret will override an organization-level secret with the same name.
+
+For secrets and variables that you want to pass to MCP servers, the name must begin with the prefix `COPILOT_MCP_`. Only Agents secrets and variables with this prefix are available to your MCP configuration. For more information, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/extend-cloud-agent-with-mcp).
+
+## Further reading
+
+* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-environment)
+* [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/extend-cloud-agent-with-mcp)

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/customize-the-agent-environment.md

@@ -31,7 +31,7 @@ You can customize {% data variables.product.prodname_copilot_short %}'s developm
 
 In addition, you can:
 
-* [Set environment variables in {% data variables.product.prodname_copilot_short %}'s environment](#setting-environment-variables-in-copilots-environment)
+* [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables)
 * [Disable or customize the agent's firewall](/copilot/customizing-copilot/customizing-or-disabling-the-firewall-for-copilot-cloud-agent).
 
 > [!NOTE]
@@ -168,7 +168,7 @@ We recommend that you only use {% data variables.copilot.copilot_cloud_agent %}
     | `ssl_cert_file`    | The path to the SSL certificate presented by your proxy server. You will need to configure this if your proxy intercepts SSL connections. | `/path/to/key.pem`                               |
     | `node_extra_ca_certs`    | The path to the SSL certificate presented by your proxy server. You will need to configure this if your proxy intercepts SSL connections. | `/path/to/key.pem`                               |
 
-    You can set these environment variables by following the [instructions below](#setting-environment-variables-in-copilots-environment), or by setting them on the runner directly, for example with a custom runner image. For more information on building a custom image, see [AUTOTITLE](/actions/concepts/runners/actions-runner-controller#creating-your-own-runner-image).
+    You can set these environment variables by creating Agents variables or secrets, or by setting them on the runner directly, for example with a custom runner image. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables) and [AUTOTITLE](/actions/concepts/runners/actions-runner-controller#creating-your-own-runner-image).
 
 ## Switching {% data variables.product.prodname_copilot_short %} to a Windows development environment
 
@@ -200,19 +200,7 @@ jobs:
           lfs: true
 ```
 
-## Setting environment variables in {% data variables.product.prodname_copilot_short %}'s environment
-
-You may want to set environment variables in {% data variables.product.prodname_copilot_short %}'s environment to configure or authenticate tools or dependencies that it has access to.
-
-You may want to set an environment variable for {% data variables.product.prodname_copilot_short %}, create a {% data variables.product.prodname_actions %} variable or secret in the `copilot` environment. If the value contains sensitive information, for example a password or API key, it's best to use a {% data variables.product.prodname_actions %} secret.
-
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.actions.sidebar-environment %}
-1. Click the `copilot` environment.
-1. To add a secret, under "Environment secrets," click **Add environment secret**. To add a variable, under "Environment variables," click **Add environment variable**.
-1. Fill in the "Name" and "Value" fields, and then click **Add secret** or **Add variable** as appropriate.
-
 ## Further reading
 
+* [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables)
 * [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-firewall)

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/extend-cloud-agent-with-mcp.md

@@ -49,7 +49,7 @@ Repository administrators can configure MCP servers by following these steps:
 
    Your configuration will be validated to ensure proper syntax.
 
-1. If your MCP server requires a variable, key, or secret, add a variable or secret to your {% data variables.product.prodname_copilot_short %} environment. Only variables and secrets with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_cloud_agent %}](#setting-up-a-copilot-environment-for-copilot-cloud-agent).
+1. If your MCP server requires a variable, key, or secret, add an Agents secret or variable for {% data variables.copilot.copilot_cloud_agent %} with a name prefixed with `COPILOT_MCP_`. Only Agents secrets and variables with names prefixed with `COPILOT_MCP_` will be available to your MCP configuration. See [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 
 ## Writing a JSON configuration for MCP servers
 
@@ -249,7 +249,7 @@ To use the Azure DevOps MCP server with {% data variables.copilot.copilot_cloud_
    ```
 
    This configuration ensures the `azure/login` action is executed when {% data variables.copilot.copilot_cloud_agent %} runs.
-1. In your repository’s {% data variables.product.prodname_copilot_short %} environment, add secrets for your `AZURE_CLIENT_ID` and `AZURE_TENANT_ID`.
+1. Configure secrets for your `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` as Agents secrets at either the organization or repository level. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 1. Configure the Azure DevOps MCP server by adding an `ado` object to your MCP configuration with defined tools you want {% data variables.copilot.copilot_cloud_agent %} to use.
 
   ```json copy
@@ -313,20 +313,6 @@ To adapt the configuration for {% data variables.copilot.copilot_cloud_agent %},
 
 For more information on MCP in {% data variables.product.prodname_vscode_shortname %}, see the [{% data variables.product.prodname_vscode_shortname %} docs](https://code.visualstudio.com/docs/copilot/chat/mcp-servers).
 
-## Setting up a {% data variables.product.prodname_copilot_short %} environment for {% data variables.copilot.copilot_cloud_agent %}
-
-Some MCP servers will require keys or secrets. To leverage those servers in {% data variables.copilot.copilot_cloud_agent %}, you can add secrets to an environment for {% data variables.product.prodname_copilot_short %}. This ensures the secrets are properly recognized and passed to the applicable MCP server that you have configured.
-
-You must be a repository administrator to configure a {% data variables.product.prodname_copilot_short %} environment for your repository.
-
-{% data reusables.repositories.navigate-to-repo %}
-{% data reusables.repositories.sidebar-settings %}
-{% data reusables.actions.sidebar-environment %}
-{% data reusables.actions.new-environment %}
-1. Call the new environment `copilot` and click **Configure environment**.
-1. Under "Environment secrets", click **Add environment secret**.
-1. Give the secret a name beginning `COPILOT_MCP_`, add the secret value, then click **Add secret**.
-
 ## Validating your MCP configuration
 
 Once you've set up your MCP configuration, you should test it to make sure it is set up correctly.
@@ -376,10 +362,7 @@ If you want to allow {% data variables.product.prodname_copilot_short %} to acce
    For more information on toolsets, refer to the [README](https://github.com/github/github-mcp-server?tab=readme-ov-file#available-toolsets) in the {% data variables.product.github %} Remote MCP Server documentation.
 
 1. Click **Save**.
-{% data reusables.actions.sidebar-environment %}
-1. Click the `copilot` environment.
-1. Under "Environment secrets", click **Add environment secret**.
-1. Call the secret `COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN`, enter your {% data variables.product.pat_generic %} in the "Value" field, then click **Add secret**.
+1. Add an Agents secret called `COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN` with your {% data variables.product.pat_generic %} as the value. You can configure this at either the organization or repository level. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 
 For information on using the {% data variables.product.github %} MCP server in other environments, see [AUTOTITLE](/copilot/customizing-copilot/using-model-context-protocol/using-the-github-mcp-server).
 

content/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/index.md

@@ -10,6 +10,7 @@ children:
   - /extend-cloud-agent-with-mcp
   - /use-hooks
   - /customize-the-agent-environment
+  - /configure-secrets-and-variables
   - /customize-the-agent-firewall
   - /test-custom-agents
 contentType: how-tos

content/copilot/reference/custom-agents-configuration.md

@@ -114,9 +114,9 @@ For compatibility, the `stdio` type used by Claude Code and {% data variables.pr
 ### MCP server environment variables and secrets
 
 > [!NOTE]
-> If your MCP server requires secrets or environment variables, these must be configured in the {% data variables.product.prodname_copilot_short %} environment in each repository where the {% data variables.copilot.copilot_custom_agent_short %} will be used. For more information on setting up environment variables, see [AUTOTITLE](/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-environment#setting-environment-variables-in-copilots-environment).
+> If your MCP server requires secrets or environment variables, these must be configured as Agents secrets or variables at either the organization or repository level. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 
-{% data variables.copilot.copilot_custom_agent_caps_short %} MCP configuration supports the same environment variable and secret replacement capabilities as existing repository-level MCP configurations. Similar to repository-level configurations, secrets and variables can be sourced from the "copilot" environment in the repository's settings. The syntax for referencing these values has been expanded to support common patterns used in {% data variables.product.prodname_actions %} and Claude Code.
+{% data variables.copilot.copilot_custom_agent_caps_short %} MCP configuration supports the same environment variable and secret replacement capabilities as existing repository-level MCP configurations. Similar to repository-level configurations, secrets and variables can be sourced from Agents secrets and variables for {% data variables.copilot.copilot_cloud_agent %}, configured at either the organization or repository level. The syntax for referencing these values has been expanded to support common patterns used in {% data variables.product.prodname_actions %} and Claude Code.
 
 Both the repository-level MCP JSON configuration and the {% data variables.copilot.copilot_custom_agent_short %} YAML configuration support the following syntax patterns:
 

content/copilot/responsible-use/copilot-cloud-agent.md

@@ -125,7 +125,7 @@ Copilot only has access to the repository where it is working, and cannot access
 
 Its permissions are limited, allowing it to push code and read other resources. Built-in protections mean that Copilot can only push to a single branch: the existing pull request branch when triggered via `@copilot`, or otherwise to a new `copilot/` branch. This means that Copilot cannot push directly to your default branch (for example, `main`).
 
-{% data variables.copilot.copilot_cloud_agent %} does not have access to Actions organization or repository secrets or variables during runtime. Only secrets and variables specifically added to the `copilot` environment are passed to the agent.
+{% data variables.copilot.copilot_cloud_agent %} does not have access to {% data variables.product.prodname_actions %} secrets or variables during runtime. Only Agents secrets and variables, configured at the organization or repository level, are passed to the agent. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 
 ### Ensuring traceability
 

content/copilot/tutorials/cloud-agent/build-guardrails.md

@@ -51,7 +51,7 @@ To adapt your rulesets for {% data variables.copilot.copilot_cloud_agent %}:
 
 Continue to store data and tokens that you _don't_ want {% data variables.product.prodname_copilot_short %} to access as **{% data variables.product.prodname_actions %} variables or secrets**. {% data variables.product.prodname_copilot_short %} won't be able to access these in its sessions or environment setup steps.
 
-If you need to provide data and secrets that {% data variables.copilot.copilot_cloud_agent %} _does_ need, you'll be able to do this in a specific `copilot` environment.
+If you need to provide data and secrets that {% data variables.copilot.copilot_cloud_agent %} _does_ need, you'll be able to do this by configuring Agents secrets and variables at the organization or repository level. For more information, see [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables).
 
 ### Configure runners