Copilot coding agent on Windows caches read‑only token after git fetch --unshallow, causing 403s on push

[ChristopherRoybal-Logos]

🏷️ Discussion Type

Bug

💬 Feature/Topic Area

Copilot in GitHub

Body

Summary

When GitHub Copilot coding agent runs git fetch --unshallow in a PR session on a Windows‑based environment before pushing any changes, the initial read‑only token is cached into Windows Credential Manager.
After this happens, Copilot is unable to push commits or commit with report_progress because Git continues using the cached read‑only credential, resulting in 403 Forbidden errors.

Expected behavior

Copilot coding agent should be able to:

• Fetch history as needed (including --unshallow)
• Later push commits to its PR branch using its write‑scoped token

Credential caching should not cause token downgrades or permission mismatches during the agent lifecycle.

Actual behavior

1. Copilot coding agent session starts work for a PR (e.g. in response to @copilot requests)
2. Agent runs git fetch --unshallow
3. This caches the read‑only token in Windows Credential Manager
4. Later, when Copilot attempts to push commits or update progress:
   • Git reuses the cached credential
   • Push fails with 403 Forbidden
5. All subsequent pushes in the session fail until WCM entry is manually cleared

Reproduction steps

1. Use Copilot coding agent on a repository shallow cloned
2. Ensure the agent environment is Windows‑based
3. Have the agent run git fetch --unshallow early in the session
4. Ask Copilot to make a change that requires pushing a commit
5. Observe push failures with 403 errors

Environment

GitHub version: latest
OS (runs-on): windows-latest
Token involved: initial read‑only token followed by write‑scoped token

Impact

Breaks Copilot coding agent workflows that require full git history
Causes non‑obvious failures unrelated to repo permissions
Requires manual mitigation (disabling credential helpers or clearing cached creds)

Workarounds

The agent should always call report_progress at least once before git fetch --unshallow to ensure this issue does not happen during the session.

When the 403 is encountered, the agent can run cmdkey /delete:git:https://github.com to delete the bad WCM entry, allowing the next report_progress to successfully commit and push the changes. This also caches the write-capable token.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐