github-agents
Configure GitHub Copilot Coding Agent repositories with the correct UHG runner, Artifactory, and workflow bootstrap patterns.
Overview
How to set up .github/workflows/copilot-setup-steps.yml to prepare the GitHub environment for running agents. This workflow installs the tools and environment settings the agent needs to run successfully in the GitHub environment.
Official sources:
- https://docs.hcp.uhg.com/github-enterprise-cloud/github-copilot-coding-agent
- https://docs.hcp.uhg.com/github-enterprise-cloud/github-copilot-coding-agent-setup
Templates
Starter copilot-setup-steps.yml workflows are provided in ./templates/. Copy the appropriate file to .github/workflows/copilot-setup-steps.yml in the target repository.
| Template | When to use |
|---|---|
node-npm-copilot-setup-steps.yml | Node.js projects that use npm as the package manager. Uses the cca-setup-actions/setup-cca-npm composite action to configure Node.js and JFrog Artifactory in one step. |
node-pnpm-copilot-setup-steps.yml | Node.js monorepo / workspace projects that use pnpm. Manually authenticates to Artifactory, installs pnpm globally, and runs pnpm install with workspace support. |
python-pip-copilot-setup-steps.yml | Python projects that use pip for dependency management. Uses the cca-setup-actions/setup-cca-python composite action to configure the Python version and Artifactory index. |
java-maven-copilot-setup-steps.yml | Java projects built with Maven. Uses the cca-setup-actions/cca-setup-java-maven composite action to configure the JDK, Maven version, and Artifactory repository. |
java-gradle-copilot-setup-steps.yml | Java projects built with Gradle. Uses the cca-setup-actions/cca-setup-java-gradle composite action to configure the JDK, Gradle version, Artifactory, and publish versioning. |
HCP Notes
The HCP docs add a few constraints that are easy to miss if you only copy a template:
- GitHub Copilot Coding Agent is an asynchronous SWE agent for low-to-medium complexity work. It creates a draft PR and branch, runs in GitHub Actions, and can be re-prompted by tagging
@copiloton the PR. - Tasks can be started from GitHub Issues, the GitHub Agents panel, VS Code, or Visual Studio.
- Usage consumes both Copilot Premium Requests and GitHub Actions minutes.
- The coding agent only runs on GitHub-hosted repositories.
- Copilot Code Review uses the same runner/config pattern, so the same setup file matters there too.
When You Need copilot-setup-steps.yml
Only add this workflow when the agent must reach external artifacts through JFrog Artifactory using OIDC. If the repo does not need Artifactory-hosted dependencies or artifact publishing, the default Copilot runner environment is already enough and adding setup steps only increases startup time.
You do need the workflow when the repo:
- Downloads dependencies from Artifactory mirrors.
- Publishes artifacts to Artifactory.
- Resolves private packages that only exist in
https://centraluhg.jfrog.ioorhttps://artifacts.cloud.uhginfra.com. - Requires OIDC-based authentication to protected JFrog resources.
Required Workflow Contract
The setup page is explicit about the contract GitHub expects:
- The workflow file must be named exactly
.github/workflows/copilot-setup-steps.yml. - The workflow must already exist on the repository default branch before Copilot will use it.
- The workflow must contain exactly one job named
copilot-setup-steps. - The starter files in this skill all target the
gh-copilot-runnerrunner group. - The minimal permissions expected by the shipped templates are
contents: readandid-token: write. - Replace every
@<tag>placeholder with a real release tag such asv1.0.0before committing.
The same page also calls out these prerequisites:
- Your own public GitHub repository.
- Access to the GitHub Copilot runner groups.
- If you use JFrog OIDC, the repository must be registered in an HCP Enterprise Registry (Artifactory SaaS) project.
- Basic GitHub Actions knowledge is optional but helpful.
UHG Implementation Model
The setup doc describes the enterprise path around the agent:
- vNet-injected runner groups keep execution on UHG-controlled Azure network paths.
- A JFrog private endpoint connects runner subnets to
centraluhg.jfrog.io. - PCAM egress firewall filters outbound traffic.
copilot-setup-steps.ymlis the integration point that connects the cloud agent to that network and package-access model.
Template Defaults In This Skill
Use the template table above to choose the right file, then tune these starter-template defaults only if your repo actually needs something different:
node-npm-copilot-setup-steps.yml: Node20, JFrog project keyghec, and the standard JFrog OIDC/provider settings.node-pnpm-copilot-setup-steps.yml: Node24.x, pnpm10.33.0, JFrog project keyghec,apt-setup: false,npm-setup: true,HUSKY=0,pnpm install --frozen-lockfile, and the samehttps://centraluhg.jfrog.iovalue for bothjfrog-urlandjfrog-edge-urlin this repo-provided template.python-pip-copilot-setup-steps.yml: Python3.13, JFrog project keyghec, and pip configured to use the Artifactory PyPI mirror.java-maven-copilot-setup-steps.yml: Java21, Maven3.9.9, and JFrog project keyghec.java-gradle-copilot-setup-steps.yml: Java21, Gradle8.14, JFrog project keyghec, andpublish-version: 0.0.${{ github.run_number }}.
Across the documented setup actions, the recurring JFrog defaults are:
jfrog-url: https://centraluhg.jfrog.iojfrog-edge-url: https://artifacts.cloud.uhginfra.comjfrog-oidc-provider: oidc-providerjfrog-oidc-audience: oidc_audiencejfrog-cli-version: 2.82.0jfrog-cli-download-repository: glb-maven-releases-jfrog-remjfrog-project-key: ghec
The repo-provided pnpm template is the exception here: it intentionally sets jfrog-edge-url to the same https://centraluhg.jfrog.io value as jfrog-url.
Repo-Specific Note About pnpm
The HCP setup page documents the official composite actions for Gradle, Maven, npm, and pip. This skill also ships a node-pnpm-copilot-setup-steps.yml template for monorepos/workspaces. That file follows the same runner plus JFrog OIDC pattern, but it is a repo-provided convenience template rather than a separately documented HCP action.
Important local differences in the pnpm template:
- it authenticates with
uhg-pipelines/epl-jf/saas-setupdirectly instead of using a publishedcca-setup-actionscomposite - it pins
actions/checkout,actions/setup-node, anduhg-pipelines/epl-jf/saas-setupto commit SHAs - it uses
node-version: 24.x - it installs
[email protected]globally - it intentionally sets both
jfrog-urlandjfrog-edge-urltohttps://centraluhg.jfrog.io - it disables Husky during install with
HUSKY=0
Use the pnpm template when you need workspace-aware installation behavior. If you later replace it with a more custom flow, preserve the required Copilot contract first: runner selection, id-token: write, checkout, Artifactory auth, and the minimal dependency bootstrap needed by the agent.
Pro Tips
If the shipped templates do not fully fit your repository, review existing UHG pipeline actions and reusable workflows before building a custom copilot-setup-steps.yml. This is often the fastest way to find a proven pattern for a tricky dependency graph, monorepo layout, or performance-sensitive install flow.
When reviewing existing examples, focus on:
- how the workflow authenticates to Artifactory
- which runtime and package-manager setup steps are used
- whether dependency install is optimized for monorepos, lockfiles, or partial workspaces
- which steps are essential for the agent environment versus normal CI-only concerns
Useful places to inspect:
- existing actions such as
uhg-pipelines/epl-jf/saas-setup - the reusable workflow catalog:
https://github.com/uhg-pipelines/ci-workflows/tree/main/.github/workflows - language-specific examples:
https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/node-pnpm-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/node-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-pip-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-poetry-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/go-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/dotnet-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/scala-sbt-ci.ymlhttps://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/docker-ci.yml
Use those workflows for inspiration, not blind copying. A good custom copilot-setup-steps.yml should keep only the steps needed to bootstrap the Copilot runner environment for your repo.
Within this repo, search for terms like artifactory, workflow, and github actions if you need more Optum-specific context from related skills, prompts, agents, or instructions.
Related Assets
github-dependabot
Create or review a repo-specific `.github/dependabot.yml` for GitHub Dependabot.
Owner: pcorazao
github-expert
GitHub platform features, Actions, workflows, CLI, repository management, and security
Owner: platform-devops
security-agent-cca-fix
Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.
Owner: edi-security-agent
Label Taxonomy Audit
Audit GitHub label usage across repositories to identify inconsistencies, redundancies, and missing labels, then recommend a standardized taxonomy.
Owner: community
Epic Progress Dashboard
Generate comprehensive epic progress dashboards showing completion status, velocity trends, blocker analysis, and burn-down forecasts for multi-sprint initiatives and large features.
Owner: thudak_uhg
Backlog Refinement Assistant
Facilitates backlog grooming sessions by analyzing issues for readiness, suggesting improvements to acceptance criteria, estimating complexity, and identifying dependencies before sprint planning.
Owner: thudak_uhg

