Copilot Code Review for Azure DevOps
Automated pull request code reviews powered by the official GitHub Copilot CLI. Get automated feedback on your PRs while leaving your code hosted in Azure DevOps repos.
Overview
This Azure DevOps extension provides a pipeline task that automatically reviews pull request code changes using GitHub Copilot. When triggered, the task:
- Fetches pull request details and changed files from Azure DevOps
- Invokes GitHub Copilot CLI to analyze the changes
- Posts review comments directly to the pull request
This brings GitHub Copilot's code review capabilities to Azure DevOps, helping teams improve code quality through AI-assisted reviews.
Prerequisites
This extension supports Windows and Linux Azure DevOps agents. Compatible with MS-hosted and self-hosted agents. Before using, ensure you have:
- GitHub Copilot Subscription: An active GitHub Copilot subscription (Individual, Business, or Enterprise)
- GitHub Personal Access Token: A PAT with Copilot access permissions
- Azure DevOps Authentication (one of the following):
- System Access Token (Recommended): Use the pipeline's built-in OAuth token for Azure DevOps Services. Must grant permissions to Build Service Identity (see below).
- Personal Access Token: Required for Azure DevOps Server (on-prem) or if you prefer explicit token management. Needs permissions to read pull requests, write comments, and read code.
- PowerShell 7+: This extension requires PowerShell 7 or later (
pwsh) to be installed on the agent. PowerShell 7 is pre-installed on Microsoft-hosted agents.
Installation
- Install the extension from the Azure DevOps Marketplace
- Navigate to your Azure DevOps organization settings
- Go to Extensions and verify the extension is installed
Usage
Using System Access Token
The recommended approach for Azure DevOps Services uses the pipeline's built-in System Access Token and a personal access token for a GitHub account with Copilot access:
trigger: none
pool:
vmImage: 'ubuntu-latest' # or 'windows-latest'
steps:
- checkout: self
fetchDepth: 0
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
IMPORTANT: When using useSystemAccessToken, ensure the Build Service identity has "Contribute to pull requests" permission on your repository. See Granting Build Service Permissions below.
Using Personal Access Token
For Azure DevOps Server (on-prem) or if you prefer explicit token management:
trigger: none
pool:
vmImage: 'ubuntu-latest' # or 'windows-latest'
steps:
- checkout: self
fetchDepth: 0
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'
Set Trigger
Use branch policies on your protected branches to specify the pipeline as a build validation that must finish before the PR can be completed:
With Custom Prompt
You can customize the review prompt to focus on aspects tailored to your needs:
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
prompt: |
Review this code focusing only on:
- Security vulnerabilities
- Performance bottlenecks
- Code simplification
Avoid lengthy explanations, keep comments concise and direct.
For longer custom prompts, create a .txt file in your repository and pass the file path as a task input:
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
promptFile: '$(Build.SourcesDirectory)/.copilot/review-prompt.txt'
IMPORTANT: If using a custom prompt, avoid including any double quotation marks (") as this will cause errors when passing the input to the Copilot CLI. Single quotes (') can be used instead and should not cause any issues.
Manual Trigger for Specific PR
If you don't want to setup an automatic trigger, you can instead set up a pipeline with a Pull Request ID parameter to run reviews on demand:
parameters:
- name: pullRequestId
displayName: 'Pull Request ID'
type: string
default: ''
trigger: none
pool:
vmImage: 'ubuntu-latest'
steps:
- checkout: self
fetchDepth: 0
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
pullRequestId: '${{ parameters.pullRequestId }}'
| Input |
Required |
Default |
Description |
githubPat |
Yes |
- |
GitHub Personal Access Token with Copilot access |
useSystemAccessToken |
No |
false |
Use pipeline's System.AccessToken instead of a PAT (recommended for Azure DevOps Services) |
azureDevOpsPat |
Conditional |
- |
Azure DevOps PAT for API access. Required if useSystemAccessToken is false. |
organization |
No |
$(System.CollectionUri) (inferred) |
Azure DevOps organization name for cloud-hosted teams |
collectionUri |
No |
$(System.CollectionUri) |
Azure DevOps collection URI for on-prem instances |
project |
No |
$(System.TeamProject) |
Azure DevOps project name |
repository |
No |
$(Build.Repository.Name) |
Repository name |
pullRequestId |
No |
$(System.PullRequest.PullRequestId) |
PR ID (auto-detected in PR builds) |
timeout |
No |
15 |
Timeout in minutes |
model |
No |
- |
Preferred Copilot model to use (see valid options below) |
promptFile |
No |
- |
Path to custom prompt file |
prompt |
No |
- |
Inline custom prompt (overrides promptFile) |
promptFileRaw |
No |
- |
(Advanced) Path to custom prompt file that will be passed as-is with no supportive direction. |
promptRaw |
No |
- |
(Advanced) Inline custom prompt that will be passed as-is with no supportive direction. |
authors |
No |
- |
Comma-separated list of email addresses to filter reviews (see below) |
Copilot Models
As of February 2026, here are the model options supported by the GitHub Copilot CLI:
claude-sonnet-4.5 (default)claude-haiku-4.5claude-opus-4.5claude-sonnet-4gpt-5.2-codexgpt-5.2gpt-5.1-codex-maxgpt-5.1-codexgpt-5.1-codex-minigpt-5.1gpt-5gpt-5-minigpt-4.1gemini-3-pro-preview
Author Filtering
Use the authors input to limit code reviews to PRs created by specific users. This is useful when you want to:
- Only review code from certain team members (e.g. junior developers)
- Exclude automated bot PRs from review
- Limit Copilot usage to a subset of contributors
- Use separate prompts/models for certain team members
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
authors: 'alice@example.com, bob@example.com, charlie@example.com'
When configured:
- The task compares
$(Build.RequestedForEmail) against the provided email list
- If the PR author's email matches any in the list, the review proceeds normally
- If no match is found, the task completes successfully without running the code review
- Email comparison is case-insensitive
Setting Up Authentication
Option 1: System Access Token (Recommended)
The system access token is the Microsoft-recommended authentication method for Azure DevOps Services. It uses OAuth and requires no PAT management.
Granting Build Service Permissions
The Build Service identity needs permission to contribute to pull requests:
- Navigate to Repos
- From the repository dropdown, go to Manage repositories
- Go to the Security tab
- Find the [Project Name] Build Service ([Org Name]) identity
- Set Contribute to pull requests to Allow
TIP: If you don't see the Build Service identity, run a pipeline first to ensure it's been created.
Option 2: Personal Access Token
Create a personal access token:
- Navigate to User settings > Personal access tokens
- Click New token
- Click Show all scopes
- Create a new token with the following scopes:
- Code: Read
- Pull Request Threads: Read & Write
- Store the token as a secret variable in your Azure DevOps pipeline
NOTE: When using a PAT, PR comments will be attributed to the account that created the PAT. For large teams, consider using a dedicated service account.
GitHub Personal Access Token
- Go to GitHub Settings > Developer Settings > Personal Access Tokens
- Generate a new Fine-grained token with the following options:
- Repository access: Public
- Permission: Copilot Requests
- Store the token as a secret variable in your Azure DevOps pipeline
IMPORTANT: If your user account is part of a GitHub organization, ensure the organization admin goes to GitHub Policies > Copilot > Copilot CLI and sets the policy to Enabled everywhere
Storing Tokens in Azure DevOps
- Navigate to Pipelines > Library
- Create a new Variable Group or edit an existing one
- Add the following variables:
GITHUB_PAT (mark as secret)AZURE_DEVOPS_PAT (mark as secret)
- Link the variable group to your pipeline
Alternatively, you can create the pipeline first and then configure the pipeline-specific variables.
How It Works
- Install Copilot CLI: The task ensures the GitHub Copilot CLI is installed on the build agent (using
winget on Windows or the official install script on Linux)
- Fetch PR Context: The task retrieves pull request metadata, existing comments, and iteration details via the Azure DevOps API
- Run Copilot Review: Using the PR context and local Git commands, Copilot analyzes the changes using the configured or default prompt
- Post Comments: Review findings are posted as comments on the pull request via the Azure DevOps API
Default Review Focus Areas
The default prompt instructs Copilot to focus on:
- Performance: Identifying inefficient code patterns
- Best Practices: Adherence to coding standards
- Reusability: Opportunities for code reuse
- Maintainability: Code clarity and documentation
- Simplification: Reducing complexity
- Security: Potential vulnerabilities
- Code Consistency: Style and pattern consistency
Limitations
- GitHub Copilot CLI: On Windows, requires
winget to be available. On Linux, requires curl and bash (standard on most systems). If using MS-hosted agents, these should be available by default.
- General Comments Only: Posts general PR comments (file-level inline comments not yet supported)
- Context Window: Very large PRs may exceed Copilot's context limits
Troubleshooting
Task fails with "GitHub Copilot CLI not found"
- Windows: Ensure your agent can access
winget and has internet connectivity to install the Copilot CLI.
- Linux: Ensure
curl and bash are available, and the agent has internet connectivity to download from https://gh.io/copilot-install.
Authentication errors
Verify that:
- Your GitHub PAT has Copilot access
- If your user account is part of a GitHub organization, ensure the organization admin goes to GitHub Policies > Copilot > Copilot CLI and sets the policy to Enabled everywhere
- If using
azureDevOpsPat:
- Your Azure DevOps PAT has Code (Read) and Pull Request Threads (Read & Write) permissions
- The token is not expired
- If using
useSystemAccessToken:
- The Build Service identity has "Contribute to pull requests" permission on the repository
- Try explicitly mapping the
SYSTEM_ACCESSTOKEN environment variable:
- task: CopilotCodeReview@1
displayName: 'Copilot Code Review'
inputs:
githubPat: '$(GITHUB_PAT)'
useSystemAccessToken: true
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
Timeout errors
For large PRs, increase the timeout input value. The default is 15 minutes.
Check the pipeline logs for Copilot's analysis output and determine if the agent experienced connectivity issues when posting comments. Even if Copilot finds no issues, it should still post a single comment indicating the PR looks good when using the default prompt.
Contributing
Contributions are welcome! Please feel free to submit issues or pull requests on GitHub.
License
This project is licensed under GNU General Public License v3 - see the LICENSE file for details.
Support
For issues and feature requests, please use the GitHub Issues page.
Acknowledgments
Disclaimers
- This project is not affiliated with or endorsed by Azure, GitHub, or the Microsoft Corporation.
- All responses and interactions generated by GitHub Copilot remain subject to the probabilistic nature of the underlying LLM. As with all LLM-based interactions, there is a non-zero chance of unpredictable results. Use at your own discretion.
