Henry T. Perkins

GitHub Copilot CLI: install, modes, and safety tips

Generate a GitHub Copilot CLI Featured Image

Written by

hperkins

in

TL;DR — Copilot CLI brings AI into your terminal with a permission-based tool system. Install via npm, brew, or winget, authenticate with copilot login, and use interactive, programmatic, or autopilot modes. Set allowlists early—don’t use --allow-all until you trust the workflow.

Your terminal just got an AI co-pilot (without leaving your flow)

If you live in the terminal—running builds, debugging, jumping between repos—switching to a browser or IDE chat breaks your flow.

GitHub Copilot CLI brings Copilot directly into your command line, with an interactive chat-like session and the ability to take actions (like reading files, editing code, and running commands) only with the permissions you allow.

This guide walks you through:

  • Installing and authenticating Copilot CLI
  • The core commands and modes (interactive, programmatic, autopilot)
  • Real workflows you can copy and paste (including WordPress-flavored examples)
  • Safety and security guardrails you should set up early

What is GitHub Copilot CLI (and what changed recently)?

Copilot CLI is GitHub’s terminal-native assistant. You can ask questions, generate scripts, plan work, review diffs, and delegate tasks—all without leaving your shell.

On February 25, 2026, Copilot CLI became generally available for all Copilot subscribers (Individual, Business, and Enterprise—including the Free tier with usage limits). If you already have the GitHub CLI (gh), running gh copilot installs and launches Copilot CLI directly. The older “Copilot in the CLI” extension has been deprecated in favor of this newer agentic version.

Quickstart: install and authenticate (macOS, Linux, Windows)

Step 1 — Install Copilot CLI

GitHub supports multiple install methods, including npm, Homebrew, WinGet, an install script (macOS/Linux), and downloadable executables.

npm (all platforms — requires Node.js 22+):

npm install -g @github/copilot

Homebrew (macOS / Linux):

brew install copilot-cli

WinGet (Windows — requires PowerShell v6+):

winget install GitHub.Copilot

Step 2 — Launch and authenticate

Start an interactive session:

copilot

Then authenticate using /login (inside the session) or copilot login (as a standalone command).

For token-based setups, GitHub supports fine-grained personal access tokens (not classic ghp_ tokens) with the “Copilot Requests” permission, supplied via environment variables. The precedence order is:

COPILOT_GITHUB_TOKEN → GH_TOKEN → GITHUB_TOKEN

⚠️ Token override gotcha — An environment variable will silently override a stored OAuth token. Easy to miss if you already set GH_TOKEN for other tooling. Classic PATs (ghp_) are not supported—use fine-grained tokens only.

How Copilot CLI works (in plain English)

Think of Copilot CLI as a conversation plus a toolbox:

  • You prompt Copilot (“write tests,” “explain this error,” “generate a script”).
  • Copilot may request permission to use tools—read files, edit files, run shell commands, fetch web pages, and more.
  • You approve tools once, for the session, or manage longer-term allowlists and denylists. Deny rules always override allows.

This permission model is what separates “AI that suggests” from “AI that acts.”

The 3 modes you’ll actually use

1. Interactive

Your daily driver. Run copilot and steer with slash commands like /plan, /review, /delegate, /model, and /add-dir.

copilot

2. Programmatic

Great for one-shot prompts and shell automation. Use -p/--prompt for a single response, -s/--silent for clean output, or --share to save transcripts.

copilot -p "Write a bash script that backs up wp-content to ./backups with a timestamp"

3. Autopilot

For larger tasks where Copilot iterates across steps until it completes, fails, or you stop it. Best for well-defined work—risky with broad permissions.

--allow-all (alias --yolo) is a permissions shortcut (tools + paths + URLs), not a separate mode.

⚠️ Autopilot + --allow-all — GitHub explicitly warns that granting full permissions allows Copilot to alter or delete files with the same access you have. Start with limited permissions and widen gradually.

10 use-case patterns you can steal today

1. Turn intent into a safe command

Good for: bash, git, grep/find, docker, wp-env, composer

copilot -p "Find all PHP files changed in the last 7 days and list their paths, excluding vendor/"

Always sanity-check the output before running it.

2. Explain a scary command before you run it

Good for: rm -rf, find -delete, complex pipes

copilot -p "Explain what this does and what could go wrong: find . -type f -name '*.log' -mtime +30 -delete"

A great “learn while you work” pattern—especially when inheriting someone else’s scripts.

3. Generate scripts with guardrails

Good for: backups, cleanups, release steps

copilot -p "Write a bash script that creates a database backup, zips wp-content, and prints restore steps. Add safety checks and confirm paths."

When Copilot asks to run shell commands or write files, only approve what you expect.

4. Add custom instructions to match your repo conventions

Stop Copilot from guessing your build steps. Copilot CLI automatically reads instructions from multiple locations:

File / pathScope
~/.copilot/copilot-instructions.mdGlobal (all repos, user-level)
.github/copilot-instructions.mdRepo-wide
.github/instructions/**/*.instructions.mdModular / per-feature / per-path
AGENTS.md (any directory)Agent instructions (nearest file wins)
CLAUDE.md, GEMINI.mdAlso read by Copilot CLI as repo instructions

Example instructions you might include:

  • “Run composer test and npm test before finishing.”
  • “WordPress code style: escape output, sanitize input, avoid direct SQL.”
  • “Never touch production config.”

5. Plan first, then implement

/plan Add a WordPress REST API endpoint that returns a list of upcoming events with caching. Include permission checks and unit tests.

Review the plan, tighten requirements, then ask Copilot to implement. This produces cleaner, more reviewable changes.

6. Review your diff like a second set of eyes

/review Review my current branch against main. Focus on security issues, edge cases, and breaking changes.

Treat this as an assistant reviewer, not an approver—especially for auth, payments, or security-sensitive code.

7. Git workflows: PR descriptions, rebases, conflict help

Create a PR for this branch with a detailed description and testing notes.

PR creation and Git operations are among GitHub’s highlighted best-practice use cases for Copilot CLI.

8. Work across multiple repos

Start from a parent directory or explicitly add paths:

/add-dir /Users/me/projects/wp-plugin
/add-dir /Users/me/projects/wp-theme

Then coordinate changes across both—shared component updates, synchronized API changes, etc.

9. Extend Copilot with MCP servers

Copilot CLI supports Model Context Protocol (MCP) servers—an open standard for sharing context and tools with LLMs. A built-in GitHub MCP server ships by default.

Add servers interactively (/mcp add) or by editing ~/.copilot/mcp-config.json. This is how you give Copilot access to browser automation, internal docs, databases, and more.

10. Package team-standard workflows with plugins

Copilot CLI plugins are installable bundles that include custom agents, skills, hooks, and MCP/LSP configurations. A practical way to standardize “how we work” across a team—especially useful for onboarding and enforcing conventions.

Safety checklist: don’t skip this part

Copilot CLI is powerful precisely because it can act, not just advise. Guardrails aren’t optional—set them early.

1. Use allowlists, not blanket permissions

Permission patterns use the format Kind(argument). Allow all git commands while denying pushes:

copilot --allow-tool 'shell(git:*)' --deny-tool 'shell(git push)'

Deny rules always win, even when paired with broad allows. A strong default for local work: Copilot can inspect, diff, branch, and rebase—but can’t push without you.

2. Understand what --allow-all actually does

--allow-all (alias --yolo) is a permissions shortcut that grants access to all tools, all paths, and all URLs. It is not a mode—it’s a flag that can be combined with interactive, programmatic, or autopilot workflows. GitHub explicitly warns that this gives Copilot the same file-system access you have.

3. Respect trust boundaries

Copilot CLI can be influenced by what it reads—files, tool output, web content. GitHub’s security guidance highlights prompt injection and data-exposure risks. OWASP lists these among the top risks for LLM applications.

Practical mitigations:

  • Only “remember” trusted folders when you’re confident they’ll remain safe.
  • Avoid running Copilot in unknown repos or random extracted archives.
  • Don’t paste secrets—ever. Prefer environment-based auth and secret managers.
  • Treat generated shell commands like code: review, test, then run.

4. Lock down tools and paths

Use --available-tools to restrict which tools Copilot can access, and control directory scope via launch directory or /add-dir. See the configuration docs for full details.

Troubleshooting: 3 common gotchas

1. “Wrong account” or unexpected token behavior

Check for COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN overrides. Environment variables silently take precedence over stored OAuth credentials.

2. Org-managed Copilot doesn’t work

Copilot CLI access can be controlled by organization policy. Ask your admin to confirm the Copilot CLI policy is enabled if your access comes from an org subscription.

3. Programmatic mode fails unexpectedly

Double-check flags and permissions. Automation-heavy prompts may require broader tool permissions than you’ve granted. Also confirm you’re using a fine-grained token (not a classic PAT) if authenticating via environment variable.

Frequently asked questions

Is Copilot CLI the same as ChatGPT in a terminal?

Not quite. Copilot CLI is designed around your local workspace and a permissioned tool system (read / edit / run) that you control. It can see your files, run your commands, and act on your behalf—within the boundaries you set.

Do I need to use gh copilot?

No. gh copilot is a convenience wrapper. You can also install Copilot CLI directly via npm, brew, winget, the install script, or downloadable executables.

Is autopilot safe?

Autopilot can be safe for well-defined tasks with restrained permissions. --allow-all / --yolo is a permissions flag (not a mode) that raises the risk of unintended changes significantly. Start with limited tool access and widen gradually.

Can I use a classic personal access token (ghp_)?

No. Copilot CLI requires a fine-grained personal access token with the “Copilot Requests” permission. Classic PATs are not supported.

Conclusion: start small, then standardize

The fastest path to value:

  1. Install and authenticate Copilot CLI.
  2. Use interactive mode for a week—commands, explanations, scripts.
  3. Add repo instructions (.github/copilot-instructions.md) so it behaves like your team expects.
  4. Only then explore autopilot, plugins, and MCP servers.

What’s your stack? Drop a comment with your OS and what you build most (WordPress plugins, web apps, DevOps pipelines), and I’ll reply with a tailored starter set of prompts.

Sources & further reading

  1. GitHub Copilot CLI is now generally available (Changelog, Feb 25 2026)
  2. GitHub Copilot CLI command reference
  3. Best practices for GitHub Copilot CLI
  4. Install and use Copilot CLI directly from the GitHub CLI (Changelog)
  5. Installing GitHub Copilot CLI
  6. Authenticating GitHub Copilot CLI
  7. Allowing Copilot CLI to work autonomously (autopilot)
  8. Adding custom instructions for Copilot CLI
  9. Adding MCP servers for Copilot CLI
  10. About plugins for Copilot CLI
  11. Safeguarding VS Code against prompt injections
  12. OWASP Top 10 for Large Language Model Applications
  13. GitHub Copilot CLI 101
  14. Configure GitHub Copilot CLI

Comments

Leave a Reply

More posts