Copilot Coding Agent Cannot Access Git Submodules (Authorization Issue) + Repeated Firewall Blocks

[yoignatov]

Select Topic Area

General

Copilot Feature Area

Copilot Coding Agent

Body

Hi everyone — I’m running into two issues with the GitHub Copilot Coding Agent. They appear unrelated, so I’ll describe them separately.

⸻

1. Copilot Coding Agent Cannot Access Git Submodules At All

In my repository I have several private submodules (all belonging to the same organization).
Whenever the Copilot Coding Agent attempts to work with files inside those submodule directories, it responds with messages like:

“I don’t have the necessary authorization to access this repository.”

Symptoms
• It cannot read any file in a submodule directory
• It cannot analyze code inside submodules
• It cannot apply commits, propose changes, or open PRs involving submodules
• It explicitly states it does not have permissions for those repos
• This happens even though:
• All repos are in the same GitHub org
• I am the organization owner
• The Copilot Business seat is active
• Copilot Coding Agent is enabled on all repos

There is no UI anywhere to grant the Agent additional repository permissions for submodules, so I’m not sure if:
• submodule access is not supported,
• it is a configuration gap, or
• it requires a different plan/feature.

I have not found documentation about submodule compatibility.

2. The Agent Logs Firewall Block Warnings (Unrelated to Submodules)

Separately from the above problem, the Coding Agent frequently logs warnings like:

Warning: Firewall rules blocked me from connecting to one or more addresses.
I tried to connect to:
googlechromelabs.github.io (DNS block)
storage.googleapis.com/.../chrome-linux64.zip (HTTP block)

These appear when the agent is doing work in the main repo, even when it is not interacting with submodules.

These URLs look like they come from some dependency in the main project (likely a test runner or automation library), not from submodules.
So I believe this is unrelated, but I’m including it for completeness in case it affects expected behavior.

⸻

My Questions

A. Does GitHub Copilot Coding Agent currently support git submodules?
• Yes / No?
• If “yes,” where do I grant the agent permissions to the submodule repos?

B. If not supported, is there a recommended workflow?
• Convert submodules → monorepo?
• Use subtree merging?
• Manually give the agent repo-by-repo permissions?
• Something else?

C. Are the firewall warnings expected behavior?

They don’t block my workflow, but I’d like to confirm whether:
• the agent always runs inside a restricted sandbox, or
• I should be using a custom allowlist, or
• there’s a better setup for repos that depend on things like Playwright/Puppeteer/Chrome Testing.

⸻

Environment
• GitHub Team plan
• Copilot Business
• I am the organization owner
• All repos + all submodules private and in the same org
• Coding Agent enabled in all repos (visible in Settings → Copilot → Coding Agent)
• Submodules configured normally in .gitmodules

⸻

Expected

Copilot Agent should be able to read and propose changes to submodule code, or offer a clear setup path.

Actual

Agent treats submodules as completely inaccessible, citing missing permissions.

⸻

I’d appreciate clarification from the GitHub team or anyone who has successfully used the Coding Agent with submodules.
Thank you!

[aharwood94]

Same question about sub-modules. I have a need to have Copilot Agent make multi-repo changes (back end and front end), so wondering if I can make the sub-modules and include them in a parent repo then use copilot agent on the parent repo

[5hanth]

+1

[pil0t]

Looks like I found a solution:
copilot-setup-steps.yml with

    steps:
      - name: Checkout repository WITH submodules
        uses: actions/checkout@v4
        with:
          submodules: recursive
          fetch-depth: 0
          token: ${{ secrets.PAT }}

Ensure secret located in copilot env.

[Goutham2796]

Hi @pil0t, I tried your solution and it is not woking for me. When I run the workflow manually it is able to checkout the repository with the submodule, but when I provide a task to the copilot agent, the workflow fails to fetch the submodule. The submodule directory is still empty when the agent access it.

[pil0t]

@Goutham2796 are you using copilot environment for secrets?
https://github.com/<user>/<repo>/settings/environments

[Goutham2796]

@pil0t Yes, I am using the copilot environment. I don't think I have made any mistake with referring to the secret either as the manual dispatch of the workflow works without issues. But when the workflow runs before the agent task, the submodule fetch fails.

[MatesanzLabster]

👋 Hi! Anyone have succedeed with this issue?

[ivebeenlinuxed]

This works. Ensure the add the SUBMODULES_TOKEN (Github PAT token) with access to the submodule as a secret to the Github Actions secrets.

Only problem is that if the agent makes changes to the submodule and commits it, because it cannot push to the submodule, the build breaks. It works if you keep the submodule readonly.

---

name: "Copilot Setup Steps"

on:
  workflow_dispatch:
  push:
    paths:
      - .github/workflows/copilot-setup-steps.yml
  pull_request:
    paths:
      - .github/workflows/copilot-setup-steps.yml

jobs:
  copilot-setup-steps:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        submodules: false
    - name: Checkout submodules
      run: |
        git config --global url."https://x-access-token:${{ secrets.SUBMODULES_TOKEN }}@github.com/".insteadOf "https://github.com/"
        git submodule update --init --recursive