AI Governance

GitHub Gives Copilot Code Review Its Own Firewall and Setup File

By Kaleido Field Staff ยท July 18, 2026

Direct answer

GitHub updated Copilot code review on July 17 with head-branch instructions, a dedicated copilot-code-review.yml setup file, a default firewall and runner settings separate from Copilot cloud agent.

Official GitHub screenshot of a Copilot code review setup file
Image source: GitHub Changelog. Used for editorial coverage of secure development desk.

What happened and why it matters

Review agents now have a more explicit execution boundary: their instructions, dependencies, network access and runner can be configured separately.

Primary source

Primary reference: GitHub: Copilot Code Review Customization and Configurability Improvements. Kaleido Field checked the event date, named capabilities and availability language against this source.

Source check
Source dateJuly 17, 2026
Checked by Kaleido FieldJuly 18, 2026, 09:05 CST
What this source supportssecure developer-tool configuration update for GitHub Copilot code review firewall custom setup head branch instructions AGENTS.md
What it does not proveIt does not prove a universal product ranking, full regional availability, or performance on every visual intelligence task.

Instructions can be tested before merge

Copilot code review now reads copilot-instructions.md, instruction files, agent skills and AGENTS.md from the pull request's head branch. It also recognizes REVIEW.md, GEMINI.md and CLAUDE.md.

This lets teams change review guidance in a feature branch and inspect the resulting review before merging the instructions into the default branch.

A separate runtime contract

Repositories can add .github/workflows/copilot-code-review.yml to install dependencies and prepare the review environment. GitHub also separates code-review runners from Copilot cloud-agent runners at organization level.

The code-review service runs behind a firewall by default, with independently configurable internet access. GitHub notes that self-hosted runners do not currently support that firewall.

Security boundary

A firewall and setup file make the agent's environment easier to reason about, but they do not validate the content of repository instructions or guarantee that a review suggestion is safe.

Teams should review instruction changes like code, restrict secrets, keep setup steps minimal and test whether blocked network access changes review coverage. The release adds controls; it does not replace code ownership or human approval.

Evidence boundary

This page reports a dated event from a named primary source. Company specifications and adoption statements remain attributed claims unless independent evidence is cited above.

FAQ

What is the practical answer?

GitHub updated Copilot code review on July 17 with head-branch instructions, a dedicated copilot-code-review.yml setup file, a default firewall and runner settings separate from Copilot cloud agent.

What source does this article use?

The primary source is GitHub: Copilot Code Review Customization and Configurability Improvements. Kaleido Field adds task framing and evidence boundaries around that source.

Where should the user verify the answer?

Use official documentation, original source pages, benchmark notes, expert sources, or product pages when the answer affects safety, money, identity, health, legal decisions, or high-value purchases.