GitHub Weekly: Copilot Coding Agent Levels Up, Enterprise AI Gets Real Governance

Source: Dev.to

[![Hector Flores](https://media2.dev.to/dynamic/image/width=50,height=50,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2155191%2F4eb16de9-82ac-4486-b7cd-6c0ec2b33daf.png)](https://dev.to/htekdev)

# GitHub Doubles Down on Agentic Workflows

If you blinked this week, you missed five major updates to GitHub's agent ecosystem:

1. Model selection for the Copilot coding agent.  
2. Self‑review before PRs.  
3. Built‑in security scanning.  
4. Enterprise AI controls going GA.  
5. GitHub Actions finally killing the double‑zip artifact problem.

Let’s break down what actually matters.

---

## Copilot Coding Agent Gets Model Selection

The [Copilot coding agent](https://github.blog/ai-and-ml/github-copilot/whats-new-with-github-copilot-coding-agent/) now lets you pick your model. Previously every background task ran on a single default model—you couldn’t pay for a beefier model for complex refactors or drop down to something faster for routine work.

Now you can. The **Agents** panel includes a model picker:

* **Fast model** – ideal for straightforward tasks like adding unit tests.  
* **More capable model** – for gnarly refactors or integration tests that need real edge cases.  
* **Auto** – let GitHub choose the best model for you.

Model selection is live for **Copilot Pro** and **Pro+** users now, with **Business** and **Enterprise** coming soon.

I’ve been watching agent capabilities evolve since [GitHub launched agentic workflows](https://htek.dev/articles/github-agentic-workflows-hands-on-guide/), and this is exactly the kind of control teams need when they’re delegating real work to agents. A one‑size‑fits‑all model makes sense for demos; in production you want options.

---

## Self‑Review Before the PR Opens

Here’s the painful part of reviewing agent output: the diff works, but the code looks like it was written by a robot—overly complex string concatenations, meaningless variable names, patterns that violate your team’s conventions.

The Copilot coding agent now **reviews its own changes** using [Copilot code review](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review) **before opening the PR**. It gets feedback, iterates, and improves the patch. By the time you’re tagged for review, someone (the agent) has already gone through it.

In a [GitHub Checkout demo](https://youtu.be/S1ch_6fjp5M?t=212), the agent caught an unnecessarily complex string concatenation and fixed it before the pull request landed. That used to be your problem.

This is a big deal. Self‑review means the agent isn’t just generating code—it’s applying the same quality bar you’d expect from a human contributor. That’s the difference between a code generator and an actual coding assistant.

---

## Security Scanning Baked Into Agent Workflows

AI‑generated code can introduce the same risks as human‑written code: vulnerable patterns, accidentally committed secrets, dependencies with known CVEs. The difference is agents do it faster.

The Copilot coding agent now runs **code scanning, secret scanning, and dependency vulnerability checks** directly inside its workflow. If a dependency has a known issue or something looks like a committed API key, it gets flagged before the PR opens.

Code scanning is normally part of **GitHub Advanced Security (GHAS)**. With the Copilot coding agent, you get it for free—GHAS is a paid add‑on, so this effectively gives you enterprise‑grade security scanning on every agent‑generated PR without an upgrade.

This aligns with what I discussed in my article on [context engineering](https://htek.dev/articles/context-engineering-key-to-ai-development/): agents need guardrails built into the pipeline, not bolted on after the fact.

---

## Enterprise AI Controls Go Generally Available

GitHub’s **Enterprise AI Controls and agent control plane** just hit **general availability**. This is the governance layer enterprises actually need when they’re deploying agents at scale.

### What you get

| Feature | Description |
|---------|-------------|
| **AI Controls tab in enterprise settings** | One consolidated view for all AI‑related policies and settings. |
| **Audit logs with agent visibility** | `actor_is_agent` identifiers and `user`/`user_id` fields let you see who the agent is acting on behalf of. |
| **Cloud agent session activity** | View all agent sessions from the last 24 hours (not just the first 1,000 records). Search and filter by specific agents, including third‑party agents. |
| **Custom agent APIs** | Programmatically apply enterprise‑wide custom agent definitions for greater control and compliance. Set the source organization and list custom agents defined in your canonical `.github-private/agents/*.md` repository path. |
| **AI manager role** | Decentralize AI administration through an enterprise custom role with fine‑grained permissions for viewing audit logs, agent session activity, and managing AI Controls. |

MCP enterprise allowlists remain in preview—GitHub is redesigning them to scale better across organizations without creating multiple registries.

If you’re managing Copilot across an enterprise, this is what you’ve been waiting for: real governance, real auditability, real control. Not just “AI is enabled for everyone” or “AI is disabled.” Actual enterprise‑grade administration.

---

## GitHub Actions: No More Double‑Zip Artifacts

GitHub Actions now supports **uploading and downloading non‑zipped artifacts**, eliminating the long‑standing double‑zip problem.

[Read the full announcement here](https://github.blog/changelog/2026-02-26-github-actions-now-supports-uploading-and-downloading-non-zipped-artifacts).

---

That’s the roundup of the biggest GitHub agentic workflow updates this week. 🚀

Artifact Upload Improvements

Previously, every artifact you uploaded with actions/upload-artifact was automatically zipped. If you uploaded a compressed file to maintain permissions or reduce size, you ended up with a compressed file inside another compressed file—the double‑zip problem.

Now you can set the archive parameter to false in v7 of actions/upload-artifact (release notes) and upload unzipped artifacts. This solves three major problems:

• No more unzipping when downloading a single file via the browser.
• If your browser supports the file type, you can view files directly (HTML, images, markdown).
• No more double‑zip issue when you upload compressed files.

Note: This applies only to new artifacts uploaded with v7 where archive is set to false (the default remains true for backwards compatibility). You’ll also need to update to v8 of actions/download-artifact (release notes).

It’s a small quality‑of‑life fix, but it removes one of those “stupid little frictions” that add up when you work with CI/CD pipelines daily.

---

Also Shipped This Week

• Copilot metrics now includes plan mode telemetry
  Enterprises can track adoption and engagement trends for plan mode alongside existing Copilot metrics.

• Gemini 3.1 Pro in public preview
  Google’s latest agentic coding model is now available in GitHub Copilot. Early testing shows higher tool precision with fewer tool calls per benchmark.

• GitHub Actions runner scale‑set client
  Build custom autoscaling solutions for GitHub Actions runners without requiring Kubernetes. Public preview is now available.

---

The Bottom Line

GitHub is making a serious bet on agents—not just as a feature, but as a core part of how developers work. Model selection, self‑review, security scanning, enterprise governance—these aren’t experimental; they’re production‑ready capabilities designed for teams shipping real code.

The signal is clear: agents aren’t assistants anymore. They’re teammates. And GitHub is building the infrastructure to make that work at enterprise scale.

If you’re still treating Copilot like autocomplete, you’re missing the bigger shift. The tooling just got a lot more capable this week.