Quick Start
There are two ways to get started with ado-aw — using a Copilot agent to co-create your first workflow interactively, or writing the agent file manually.
Install ado-aw
Section titled “Install ado-aw”Run the first-time installer for your platform.
curl -fsSL https://github.com/githubnext/ado-aw/releases/latest/download/install-linux.sh | shcurl -fsSL https://github.com/githubnext/ado-aw/releases/latest/download/install-macos.sh | sh$script = Join-Path $env:TEMP "install-ado-aw.ps1"Invoke-WebRequest "https://github.com/githubnext/ado-aw/releases/latest/download/install-windows.ps1" -UseBasicParsing -OutFile $scriptGet-FileHash $script -Algorithm SHA256Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass& $scriptCompare the Get-FileHash output with the install-windows.ps1 entry in checksums.txt before running the script.
With Agents (recommended)
Section titled “With Agents (recommended)”The fastest way to create an agentic pipeline is to let Copilot do the heavy lifting.
-
Initialize your project
In your Azure DevOps repository root, run:
Terminal window ado-aw initThis creates
.github/agents/ado-aw.agent.md— a Copilot dispatcher agent that knows how to create, update, and debug agentic pipelines. It auto-downloads theado-awcompiler and handles the full lifecycle. -
Co-create a workflow with Copilot
Open your project in an editor with Copilot and invoke the agent:
/agent ado-awDescribe what you want your agentic pipeline to do. For example:
“Create a workflow that runs daily, reads open work items tagged ‘stale’, and adds a reminder comment.”
The agent will walk you through the front-matter configuration, write the agent prompt, and compile the pipeline — all interactively.
-
Push and register the pipeline
Once you’re happy with the generated files, commit and push them to your Azure DevOps repository. Then register the pipeline with Azure DevOps:
Terminal window ado-aw enableThis auto-discovers compiled pipelines in your repository and creates (or enables) corresponding ADO build definitions. With the
--also-set-tokenflag, it can also set theGITHUB_TOKENvariable in one step:Terminal window ado-aw enable --also-set-tokenAlternatively, set the token separately on existing definitions:
Terminal window ado-aw secrets set GITHUB_TOKENBoth commands prompt for:
- The GitHub Personal Access Token (PAT) value — used by the Copilot CLI at runtime (see required permissions below)
- For Azure DevOps authentication, the commands first try the Azure CLI (
azlogin session). If the Azure CLI is not available or not logged in, they fall back to prompting for an Azure DevOps PAT.
Service connections for ADO access: If your agent uses safe outputs that write to Azure DevOps (creating PRs, work items, comments, etc.), you need an ARM service connection referenced in your agent file’s
permissions.writefield. This connection is used to mint short-lived ADO tokens for the executor stage.permissions:write: my-write-connection # ARM service connection nameSee Service Connections for step-by-step creation instructions. You can use an existing connection if one is already configured in your project.
-
Run the pipeline
Queue your pipeline from the command line:
Terminal window ado-aw runOr queue it manually from the Azure DevOps UI. The pipeline executes the three-stage workflow: Agent → Detection → SafeOutputs.
Manual
Section titled “Manual”If you prefer full control, you can author agent files by hand.
-
Create an agent file
Create a file named
agent.md:---name: Hello from ado-awdescription: A minimal agentic pipeline exampleengine:id: copilotpool: AZS-1ES-L-MMS-ubuntu-22.04---## InstructionsInspect the repository and summarize what this project does.This file combines YAML front matter for configuration with markdown instructions for the agent.
-
Compile it
Terminal window ado-aw compile agent.mdThis writes a compiled
.lock.ymlpipeline alongside the source file. You should now have:agent.md— your source definitionagent.lock.yml— the compiled Azure DevOps pipeline
-
Push and register the pipeline
- Commit both
agent.mdand the compiled.lock.ymlfile - Push them to your Azure DevOps repository
- Register the pipeline with Azure DevOps:
Terminal window ado-aw enableThis auto-discovers the compiled pipeline and creates a corresponding ADO build definition. You can also register and set the GitHub token in one step:
Terminal window ado-aw enable --also-set-token - Commit both
-
Set the GitHub token (if not done in step 3)
If you didn’t use
--also-set-tokenin the previous step, set the token now:Terminal window ado-aw secrets set GITHUB_TOKENThis stores the
GITHUB_TOKENpipeline variable (as a secret) on every matched ADO build definition. See the With Agents section above for details on what the command prompts for and the current GitHub PAT limitation.If your workflow uses write-requiring safe outputs, you’ll also need an ARM service connection — see Service Connections.
-
Run the pipeline
Back in Azure DevOps, queue your pipeline:
Terminal window ado-aw runOr queue it manually from the Azure DevOps UI. The pipeline executes the compiled three-stage workflow: Agent → Detection → SafeOutputs.
GitHub PAT permissions
Section titled “GitHub PAT permissions”The Copilot CLI engine requires a fine-grained GitHub Personal Access Token to authenticate. Create one here with the following settings:
| Setting | Value |
|---|---|
| Resource owner | Your personal user account (not an organization) |
| Permissions | Account permissions -> Copilot Requests: Read |
No repository permissions are needed — the token is only used for Copilot inference.
The token is stored as the GITHUB_TOKEN pipeline variable on your Azure DevOps build definition (set by ado-aw secrets set GITHUB_TOKEN). It is never exposed to the agent — only the pipeline runtime uses it.
Next steps
Section titled “Next steps”- Learn the available commands in CLI Commands
- Read How It Works
- Explore the Creating Agents guide for the full agent file format