GitHub shipped dedicated Agents secrets and variables for Copilot cloud agent on May 8, 2026. Until now, teams had to configure values one repository at a time in a copilot environment under repository Actions settings.
The new setup lets organizations configure Copilot cloud agent secrets and variables at the organization level, share them with selected repositories, and manage repository-level values in a dedicated Agents section instead of mixing them into Actions configuration.
Why this matters
Copilot cloud agent is becoming a real background engineering worker. That means it needs access to package registries, internal MCP servers, staging credentials, feature flags, and other private resources.
Centralized secrets make rollout easier, but they also raise the stakes. A badly scoped organization secret can give an autonomous coding agent broader access than intended.
Buyer take
For GitHub-first teams, this is a meaningful enterprise-readiness improvement. It makes Copilot cloud agent easier to deploy across many repositories without repetitive setup.
Do not treat it as a pure convenience feature. Create a separate agent-secrets review path, scope secrets to the minimum repository set, and prefer short-lived or narrowly permissioned credentials where possible.
What is still unclear
GitHub did not publish a migration tool for existing repository-level copilot environment secrets, so teams with many repos may need to audit and move configuration manually.
Sources
Primary and corroborating references used for this news item.