GitHub announced on July 2, 2026 that Copilot CLI no longer needs a personal access token when it runs in GitHub Actions.

Primary source: GitHub Changelog, July 2, 2026.

Deleting a secret is easy. Proving the workflow still works—and recovering without hurriedly pasting credentials back into YAML—is the useful part. This is an unexecuted migration template, not a report from a production repository.

Make one reversible change

First find every place the old secret enters the job, including reusable workflows: