using models in github actions?

[pelikhan]

Select Topic Area

Question

Body

What permissions does one need to give to allow a github action token to access the models API?

[Akash1134]

Hi @pelikhan ,

Models are designed to support tokens that are tied to individual user contexts, meaning that they can perform actions based on the permissions and access rights of that individual user. In contrast, GitHub Actions generally use tokens that are scoped to the repository or organization level rather than individual users.

Technically, you could pass an individual's Personal Access Token (PAT) into a GitHub Action to execute workflows with the permissions of that user. However, this practice is not recommended. It is generally safer to use GitHub-provided tokens or other methods that maintain proper security boundaries and auditability.

Thanks!

[pelikhan]

Is there a plan to support "models" in the permissions declaration of the GitHub Action? As you mentioned, it is better to rely on the GitHub generated token in a GA rather than passing a PAT through the secrets.

[matthewisabel]

We're thinking about how this could work and agree it would be really frictionless but no updates yet

[Akash1134]

Thank you for your patience on this topic. Based on feedback from users like yourself, we've made progress on integrating GitHub Models with GitHub Actions in a secure and straightforward way.

Current Status (April 2025)

We now support the models permission scope in GitHub Actions workflows. This allows you to access the Models API using the GitHub-generated GITHUB_TOKEN without requiring personal access tokens.

How to Use Models in GitHub Actions

You can now include the models: read permission in your workflow file:

name: AI-powered CI

on: [ push ]

permissions:
  models: read             # grants inference access
  contents: read           # typical default for code checks

jobs:
  run-inference:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Generate summary via Models API
        run: |
          response=$(gh api \
            POST /models/infer \
            -f model_id="gpt-4-turbo" \
            -f input="Summarize the latest release notes.")
          echo "$response"

Available Permissions

• models: read - Allows inference calls to the Models API
• models: write - Reserved for future functionality (currently equivalent to read)

For detailed information, please visit: permissions documentation

• This feature is available to all repositories with GitHub Copilot access
• Enterprise customers may need additional configuration by their administrators

We appreciate your suggestion which helped prioritize this feature. We hope this implementation addresses your use case, and welcome any feedback on this new functionality.

[pelikhan]

(The example of inference looks broken, gpt-4-turbo is deprecated and the LLM does not have the release notes in context.)

[Akash1134]

Thanks for sharing 💟