Skip to content

github-agents

Configure GitHub Copilot Coding Agent repositories with the correct UHG runner, Artifactory, and workflow bootstrap patterns.

active
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:pcorazao
github
copilot
github-actions
artifactory
uhg
codex

Overview

How to set up .github/workflows/copilot-setup-steps.yml to prepare the GitHub environment for running agents. This workflow installs the tools and environment settings the agent needs to run successfully in the GitHub environment.

Official sources:

Templates

Starter copilot-setup-steps.yml workflows are provided in ./templates/. Copy the appropriate file to .github/workflows/copilot-setup-steps.yml in the target repository.

TemplateWhen to use
node-npm-copilot-setup-steps.ymlNode.js projects that use npm as the package manager. Uses the cca-setup-actions/setup-cca-npm composite action to configure Node.js and JFrog Artifactory in one step.
node-pnpm-copilot-setup-steps.ymlNode.js monorepo / workspace projects that use pnpm. Manually authenticates to Artifactory, installs pnpm globally, and runs pnpm install with workspace support.
python-pip-copilot-setup-steps.ymlPython projects that use pip for dependency management. Uses the cca-setup-actions/setup-cca-python composite action to configure the Python version and Artifactory index.
java-maven-copilot-setup-steps.ymlJava projects built with Maven. Uses the cca-setup-actions/cca-setup-java-maven composite action to configure the JDK, Maven version, and Artifactory repository.
java-gradle-copilot-setup-steps.ymlJava projects built with Gradle. Uses the cca-setup-actions/cca-setup-java-gradle composite action to configure the JDK, Gradle version, Artifactory, and publish versioning.

HCP Notes

The HCP docs add a few constraints that are easy to miss if you only copy a template:

  • GitHub Copilot Coding Agent is an asynchronous SWE agent for low-to-medium complexity work. It creates a draft PR and branch, runs in GitHub Actions, and can be re-prompted by tagging @copilot on the PR.
  • Tasks can be started from GitHub Issues, the GitHub Agents panel, VS Code, or Visual Studio.
  • Usage consumes both Copilot Premium Requests and GitHub Actions minutes.
  • The coding agent only runs on GitHub-hosted repositories.
  • Copilot Code Review uses the same runner/config pattern, so the same setup file matters there too.

When You Need copilot-setup-steps.yml

Only add this workflow when the agent must reach external artifacts through JFrog Artifactory using OIDC. If the repo does not need Artifactory-hosted dependencies or artifact publishing, the default Copilot runner environment is already enough and adding setup steps only increases startup time.

You do need the workflow when the repo:

  • Downloads dependencies from Artifactory mirrors.
  • Publishes artifacts to Artifactory.
  • Resolves private packages that only exist in https://centraluhg.jfrog.io or https://artifacts.cloud.uhginfra.com.
  • Requires OIDC-based authentication to protected JFrog resources.

Required Workflow Contract

The setup page is explicit about the contract GitHub expects:

  • The workflow file must be named exactly .github/workflows/copilot-setup-steps.yml.
  • The workflow must already exist on the repository default branch before Copilot will use it.
  • The workflow must contain exactly one job named copilot-setup-steps.
  • The starter files in this skill all target the gh-copilot-runner runner group.
  • The minimal permissions expected by the shipped templates are contents: read and id-token: write.
  • Replace every @<tag> placeholder with a real release tag such as v1.0.0 before committing.

The same page also calls out these prerequisites:

  • Your own public GitHub repository.
  • Access to the GitHub Copilot runner groups.
  • If you use JFrog OIDC, the repository must be registered in an HCP Enterprise Registry (Artifactory SaaS) project.
  • Basic GitHub Actions knowledge is optional but helpful.

UHG Implementation Model

The setup doc describes the enterprise path around the agent:

  • vNet-injected runner groups keep execution on UHG-controlled Azure network paths.
  • A JFrog private endpoint connects runner subnets to centraluhg.jfrog.io.
  • PCAM egress firewall filters outbound traffic.
  • copilot-setup-steps.yml is the integration point that connects the cloud agent to that network and package-access model.

Template Defaults In This Skill

Use the template table above to choose the right file, then tune these starter-template defaults only if your repo actually needs something different:

  • node-npm-copilot-setup-steps.yml: Node 20, JFrog project key ghec, and the standard JFrog OIDC/provider settings.
  • node-pnpm-copilot-setup-steps.yml: Node 24.x, pnpm 10.33.0, JFrog project key ghec, apt-setup: false, npm-setup: true, HUSKY=0, pnpm install --frozen-lockfile, and the same https://centraluhg.jfrog.io value for both jfrog-url and jfrog-edge-url in this repo-provided template.
  • python-pip-copilot-setup-steps.yml: Python 3.13, JFrog project key ghec, and pip configured to use the Artifactory PyPI mirror.
  • java-maven-copilot-setup-steps.yml: Java 21, Maven 3.9.9, and JFrog project key ghec.
  • java-gradle-copilot-setup-steps.yml: Java 21, Gradle 8.14, JFrog project key ghec, and publish-version: 0.0.${{ github.run_number }}.

Across the documented setup actions, the recurring JFrog defaults are:

  • jfrog-url: https://centraluhg.jfrog.io
  • jfrog-edge-url: https://artifacts.cloud.uhginfra.com
  • jfrog-oidc-provider: oidc-provider
  • jfrog-oidc-audience: oidc_audience
  • jfrog-cli-version: 2.82.0
  • jfrog-cli-download-repository: glb-maven-releases-jfrog-rem
  • jfrog-project-key: ghec

The repo-provided pnpm template is the exception here: it intentionally sets jfrog-edge-url to the same https://centraluhg.jfrog.io value as jfrog-url.

Repo-Specific Note About pnpm

The HCP setup page documents the official composite actions for Gradle, Maven, npm, and pip. This skill also ships a node-pnpm-copilot-setup-steps.yml template for monorepos/workspaces. That file follows the same runner plus JFrog OIDC pattern, but it is a repo-provided convenience template rather than a separately documented HCP action.

Important local differences in the pnpm template:

  • it authenticates with uhg-pipelines/epl-jf/saas-setup directly instead of using a published cca-setup-actions composite
  • it pins actions/checkout, actions/setup-node, and uhg-pipelines/epl-jf/saas-setup to commit SHAs
  • it uses node-version: 24.x
  • it installs [email protected] globally
  • it intentionally sets both jfrog-url and jfrog-edge-url to https://centraluhg.jfrog.io
  • it disables Husky during install with HUSKY=0

Use the pnpm template when you need workspace-aware installation behavior. If you later replace it with a more custom flow, preserve the required Copilot contract first: runner selection, id-token: write, checkout, Artifactory auth, and the minimal dependency bootstrap needed by the agent.

Pro Tips

If the shipped templates do not fully fit your repository, review existing UHG pipeline actions and reusable workflows before building a custom copilot-setup-steps.yml. This is often the fastest way to find a proven pattern for a tricky dependency graph, monorepo layout, or performance-sensitive install flow.

When reviewing existing examples, focus on:

  • how the workflow authenticates to Artifactory
  • which runtime and package-manager setup steps are used
  • whether dependency install is optimized for monorepos, lockfiles, or partial workspaces
  • which steps are essential for the agent environment versus normal CI-only concerns

Useful places to inspect:

  • existing actions such as uhg-pipelines/epl-jf/saas-setup
  • the reusable workflow catalog: https://github.com/uhg-pipelines/ci-workflows/tree/main/.github/workflows
  • language-specific examples:
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/node-pnpm-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/node-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-pip-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/python-poetry-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/go-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/dotnet-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/scala-sbt-ci.yml
    • https://github.com/uhg-pipelines/ci-workflows/blob/main/.github/workflows/docker-ci.yml

Use those workflows for inspiration, not blind copying. A good custom copilot-setup-steps.yml should keep only the steps needed to bootstrap the Copilot runner environment for your repo.

Within this repo, search for terms like artifactory, workflow, and github actions if you need more Optum-specific context from related skills, prompts, agents, or instructions.

Related Assets

github-dependabot

active

Create or review a repo-specific `.github/dependabot.yml` for GitHub Dependabot.

claude
codex
vscode
github
copilot
github-actions
dependabot

Owner: pcorazao

github-expert

active

GitHub platform features, Actions, workflows, CLI, repository management, and security

codex
github
github-actions
ci-cd
workflows
automation
+1

Owner: platform-devops

security-agent-cca-fix

active

Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.

codex
security
cca
github
copilot
remediation
+3

Owner: edi-security-agent

Label Taxonomy Audit

experimental

Audit GitHub label usage across repositories to identify inconsistencies, redundancies, and missing labels, then recommend a standardized taxonomy.

claude
codex
vscode
agile
issue-management
labels
taxonomy
github

Owner: community

Epic Progress Dashboard

active

Generate comprehensive epic progress dashboards showing completion status, velocity trends, blocker analysis, and burn-down forecasts for multi-sprint initiatives and large features.

claude
codex
vscode
agile
progress-tracking
epics
metrics
github
+1

Owner: thudak_uhg

Backlog Refinement Assistant

active

Facilitates backlog grooming sessions by analyzing issues for readiness, suggesting improvements to acceptance criteria, estimating complexity, and identifying dependencies before sprint planning.

claude
codex
vscode
agile
sprint-ceremonies
backlog-grooming
sprint-planning
github
+1

Owner: thudak_uhg