Copilot Code Review for Azure DevOps

Automated pull request code reviews powered by the official GitHub Copilot CLI. Get automated feedback on your PRs while leaving your code hosted in Azure DevOps repos.

Overview

This Azure DevOps extension provides a pipeline task that automatically reviews pull request code changes using GitHub Copilot. When triggered, the task:

Fetches pull request details and changed files from Azure DevOps
Invokes GitHub Copilot CLI to analyze the changes
Posts review comments directly to the pull request

This brings GitHub Copilot's code review capabilities to Azure DevOps, helping teams improve code quality through AI-assisted reviews.

Pull Request with comments generated by Copilot

Prerequisites

Before using this extension, ensure you have:

GitHub Copilot Subscription: An active GitHub Copilot subscription (Individual, Business, or Enterprise)
GitHub Personal Access Token: A PAT with Copilot access permissions
Azure DevOps Personal Access Token: A PAT with permissions to:
- Read pull requests
- Write pull request comments
- Read code
- NOTE: Since this PAT will be used by Copilot to post comments, all PR comments will be attributed to the account used to create the PAT. For large teams, consider using a PAT from a dedicated service account to avoid confusion.
Windows Agent: This extension currently only supports Windows-based Azure DevOps agents. Compatible with both MS-hosted and self-hosted agents.

Installation

Install the extension from the Azure DevOps Marketplace
Navigate to your Azure DevOps organization settings
Go to Extensions and verify the extension is installed

Usage

Basic Usage

Create a dedicated pipeline with the CopilotCodeReview@1 task:

trigger: none

pool:
  vmImage: 'windows-latest'

steps:
- checkout: self
  fetchDepth: 0

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'

Use branch policies on your protected branches to specify the pipeline as a build validation that must finish before the PR can be completed:

Branch policy with code review trigger

With Custom Prompt

You can customize the review prompt to focus on aspects tailored to your needs:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'
    prompt: |
      Review this code focusing only on:
      - Security vulnerabilities
      - Performance bottlenecks
      - Code simplification
      Avoid lengthy explanations, keep comments concise and direct.

For longer custom prompts, create a .txt file in your repository and pass the file path as a task input:

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'
    promptFile: '$(Build.SourcesDirectory)/.copilot/review-prompt.txt'

NOTE: If using a custom prompt, avoid including any double quotation marks (") as this will cause errors when passing the input to the Copilot CLI. Single quotes (') can be used instead and should not cause any issues.

Manual Trigger for Specific PR

If you don't want to setup an automatic trigger, you can instead set up a pipeline with a Pull Request ID parameter to run reviews on demand:

parameters:
  - name: pullRequestId
    displayName: 'Pull Request ID'
    type: string
    default: ''

trigger: none

pool:
  vmImage: 'windows-latest'

steps:
  - checkout: self
    fetchDepth: 0

  - task: CopilotCodeReview@1
    displayName: 'Copilot Code Review'
    inputs:
      githubPat: '$(GITHUB_PAT)'
      azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'
      pullRequestId: '${{ parameters.pullRequestId }}'

Input Reference

Input	Required	Default	Description
`githubPat`	Yes	-	GitHub Personal Access Token with Copilot access
`azureDevOpsPat`	Yes	-	Azure DevOps PAT for API access
`organization`	No	`$(System.CollectionUri)` (inferred)	Azure DevOps organization name
`project`	No	`$(System.TeamProject)`	Azure DevOps project name
`repository`	No	`$(Build.Repository.Name)`	Repository name
`pullRequestId`	No	`$(System.PullRequest.PullRequestId)`	PR ID (auto-detected in PR builds)
`timeout`	No	`15`	Timeout in minutes
`model`	No	-	Preferred Copilot model to use (see valid options below)
`promptFile`	No	-	Path to custom prompt file
`prompt`	No	-	Inline custom prompt (overrides `promptFile`)
`authors`	No	-	Comma-separated list of email addresses to filter reviews (see below)

Copilot Models

As of December 2025, here are the model options supported by the GitHub Copilot CLI:

claude-sonnet-4.5 (default)
claude-haiku-4.5
claude-opus-4.5
claude-sonnet-4
gpt-5.1-codex-max
gpt-5.1-codex
gpt-5.1-codex-mini
gpt-5.1
gpt-5
gpt-5-mini
gpt-4.1
gemini-3-pro-preview

Author Filtering

Use the authors input to limit code reviews to PRs created by specific users. This is useful when you want to:

Only review code from certain team members (e.g. junior developers)
Exclude automated bot PRs from review
Limit Copilot usage to a subset of contributors
Use separate prompts/models for certain team members

- task: CopilotCodeReview@1
  displayName: 'Copilot Code Review'
  inputs:
    githubPat: '$(GITHUB_PAT)'
    azureDevOpsPat: '$(AZURE_DEVOPS_PAT)'
    authors: 'alice@example.com, bob@example.com, charlie@example.com'

When configured:

The task compares $(Build.RequestedForEmail) against the provided email list
If the PR author's email matches any in the list, the review proceeds normally
If no match is found, the task completes successfully without running the code review
Email comparison is case-insensitive

Setting Up Tokens

GitHub Personal Access Token

Go to GitHub Settings > Developer Settings > Personal Access Tokens
Generate a new Fine-grained token with the following options:
- Repository access: Public
- Permission: Copilot Requests
Store the token as a secret variable in your Azure DevOps pipeline

Azure DevOps Personal Access Token

Go to your Azure DevOps organization
Click on User Settings > Personal Access Tokens
Click on New Token and then Show All Scopes
Create a new token with the following scopes:
- Code: Read
- Pull Request Threads: Read & Write
Store the token as a secret variable in your Azure DevOps pipeline

Storing Tokens in Azure DevOps

Navigate to Pipelines > Library
Create a new Variable Group or edit an existing one
Add the following variables:
- GITHUB_PAT (mark as secret)
- AZURE_DEVOPS_PAT (mark as secret)
Link the variable group to your pipeline

Alternatively, you can create the pipeline first and then configure the pipeline-specific variables.

How It Works

Install Copilot CLI: The task ensures the GitHub Copilot CLI is installed on the build agent using winget
Fetch PR Context: The task retrieves pull request metadata, existing comments, and iteration details via the Azure DevOps API
Run Copilot Review: Using the PR context and local Git commands, Copilot analyzes the changes using the configured or default prompt
Post Comments: Review findings are posted as comments on the pull request via the Azure DevOps API

Default Review Focus Areas

The default prompt instructs Copilot to focus on:

Performance: Identifying inefficient code patterns
Best Practices: Adherence to coding standards
Reusability: Opportunities for code reuse
Maintainability: Code clarity and documentation
Simplification: Reducing complexity
Security: Potential vulnerabilities
Code Consistency: Style and pattern consistency

Limitations

Windows Only: Currently requires Windows-based agents
GitHub Copilot CLI: Requires the GitHub Copilot CLI to be installable via winget. If using MS-hosted agents, this should be enabled by default. If using a self-hosted agent, run winget -v to ensure the tool is accessible.
General Comments Only: Posts general PR comments (file-level inline comments not yet supported)
Context Window: Very large PRs may exceed Copilot's context limits

Troubleshooting

Task fails with "GitHub Copilot CLI not found"

Ensure your agent can access winget and has internet connectivity to install the Copilot CLI.

Authentication errors

Verify that:

Your GitHub PAT has Copilot access
- If your user account is part of a GitHub organization, ensure the organization admin goes to GitHub Policies > Copilot > Copilot CLI and sets the policy to Enabled everywhere
Your Azure DevOps PAT has Code (Read) and Pull Request Threads (Read & Write) permissions
Tokens are not expired

Timeout errors

For large PRs, increase the timeout input value. The default is 15 minutes.

No comments posted

Check the pipeline logs for Copilot's analysis output and determine if the agent experienced connectivity issues when posting comments. Even if Copilot finds no issues, it should still post a single comment indicating the PR looks good when using the default prompt.

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests on GitHub.

License

This project is licensed under GNU General Public License v3 - see the LICENSE file for details.

Support

For issues and feature requests, please use the GitHub Issues page.

Acknowledgments

Built with Azure Pipelines Task SDK
Powered by GitHub Copilot

Disclaimers

This project is not affiliated with or endorsed by Azure, GitHub, or the Microsoft Corporation.
All responses and interactions generated by GitHub Copilot remain subject to the probabilistic nature of the underlying LLM. As with all LLM-based interactions, there is a non-zero chance of unpredictable results. Use at your own discretion.

Copilot Code Review

Little Fort Software