GitHub adds firewall and setup controls for Copilot code review

GitHub adds firewall and setup controls for Copilot code review

GitHub now lets teams configure Copilot code review with firewall defaults, custom setup steps, and branch-level instructions.

Format News Brief
Read Time 2 min
Category Software
Updated Jul 19, 2026

GitHub is giving teams more control over how Copilot code review runs inside repositories, a notable shift for organizations that want AI review comments but need tighter governance around build environments, network access, and repository-specific guidance.

In a July 17 changelog post, GitHub said Copilot code review now supports a separate copilot-code-review.yml configuration file in .github/workflows/. That file lets maintainers define setup steps for the review environment, such as installing dependencies or preparing tooling before Copilot evaluates a pull request. If the new file is absent, GitHub says the review flow can fall back to an existing copilot-setup-steps.yml file.

What changed

The update also changes how Copilot code review reads project guidance. Instead of pulling custom instructions only from the base branch, it can read them from the pull request head branch. That means teams can test updates to files such as copilot-instructions.md, *.instructions.md, agent skills, and AGENTS.md before merging those instructions into the main line. GitHub also expanded the supported instruction file names to include REVIEW.md, GEMINI.md, and CLAUDE.md.

The security-oriented change is firewall support. GitHub says Copilot code review now runs behind a firewall by default, limiting network access while a review is in progress. Administrators can configure that setting separately from Copilot cloud agent access through repository and organization settings. GitHub notes one important exception: self-hosted runners do not currently support the firewall, so reviews using those runners continue without it.

Why it matters

AI-assisted code review is moving from a convenience feature into part of the software delivery workflow. That raises practical questions for engineering leaders: what environment does the agent run in, what can it reach on the network, and which local rules should it follow? GitHub's split runner settings and review-specific setup file address those questions by separating Copilot code review from broader Copilot cloud agent configuration.

For developers, the head-branch instruction behavior should make review policy changes easier to validate in the same pull requests that introduce them. For administrators, firewall defaults and separate runner choices provide clearer controls as teams scale AI review across multiple repositories.

Sources

Cover photo by Daniil Komov on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...