GitHub releases Copilot Enterprise, while Chat users fret about over-reaching permission requirements

GitHub releases Copilot Enterprise, while Chat users fret about over-reaching permission requirements

GitHub has fully released Copilot Enterprise, where the major differentiation is integration with private repositories and organization knowledge bases. In addition, there is one-click pull request description and summarization, and chat support for general coding questions.

A knowledge base is a collection of Markdown documents stored in one or more repositories. Administrators select which repositories are searchable with Copilot Chat. According to the documentation, Copilot Chat will only use data from repositories to which the user has access.

Copilot Enterprise is $39.00 per user/month but also requires GitHub Enterprise Cloud, which costs $21.00 per user/month, so it is $60 for the whole package – excluding Advanced Security, which is an additional $49.00.

IDE support for Copilot extends to Visual Studio Code, Visual Studio, Vim, Neovim, JetBrains IDEs, and Azure Data Studio (built on VS Code). That said, Chat only works in VS Code and Visual Studio, though a beta version is available for JetBrains IDEs. Copilot is also built into the web application.

Permissions demanded by Copilot for use of Chat in Visual Studio Code

Users of Copilot Chat (all editions) are complaining though about over-reaching permission requirements. In recent versions, VS Code users see a dialog stating that Copilot needs “more permissions to work with this type of repository.” The permission demands include full “repo scope”, which includes read and write permissions for all repository data, as well as the ability to remove or edit GitHub Action Workflow files.

Commenting on an bug report that has now been closed, senior software engineer Tyler Leonhardt said: “we need the extra permissions (repo) in order to use a GitHub Search API because without it, it says the repo doesn’t exist. GitHub doesn’t split up repo permissions into read and write for this, unfortunately, so we ask for the scope required to do the job.”

Copilot did not need these permissions until recently, and it appears that the permission grab is related to the new Enterprise plan. “GitHub lit up a code search API (if you’re a GH Copilot Enterprise user, you can trigger indexing of your repos on that is faster than the strategies we use locally… but the only way to check if we can use this API is if we get a more permissive token,” said Leonhardt.

A developer commented that, “I do not want to give unnecessary read/write access to my public and private repos just to be able to use Copilot. This is bad design, and should be fixed;” and another, “I don’t want to give Copilot access to my private repos when I only use it for work. There is no way to only set it for my work repos, which is extremely upsetting.”