policyDeny demo rule fails to take effect in copilot-cli-hooks.md tutorial #43102
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/copilot/tutorials/copilot-cli-hooks
What part(s) of the article would you like to see updated?
Problem
In the copilot-cli hooks tutorial, the pre-tool-policy.sh example script attempts to invoke the deny() function prior to defining this function.
When the demo rule guard holds true, this causes the script execution to fail and prevents the policy demo rule from taking effect.
Solution
In the bash example script, the guard in question should be relocated to after the deny function definition, to ensure that the function is in scope when invoked.
At a glance, this potentially needs addressed in the PowerShell example also.
However, I don't currently have access to a PowerShell environment to personally confirm this.
Additional information
Reproduction (bash)
Follow the tutorial up to the 'Test a denied command' step.
Expected Outcome
$ copilot --model "gpt-5-mini" -p "Run a test command: echo COPILOT_HOOKS_DENY_DEMO"
# per tutorial:
# # Expected results:
#
# - Copilot CLI does not execute the command.
# - Your hook returns a denial response with a clear reason.
# - A policyDeny entry is written to .github/hooks/logs/audit.jsonl.Observed Outcome
$ copilot --model "gpt-5-mini" -p "Run a test command: echo COPILOT_HOOKS_DENY_DEMO"
Running a simple echo to verify the test command prints the expected token.
● Echo test token
$ echo COPILOT_HOOKS_DENY_DEMO
└ 2 lines...
COPILOT_HOOKS_DENY_DEMOWe can reproduce this minimally by bypassing copilot and executing the hook script directly:
$ cd .github/hooks
$ echo '{"toolName":"bash","toolArgs":"{\"command\":\"echo COPILOT_HOOKS_DENY_DEMO\"}"}' \
| scripts/pre-tool-policy.sh
scripts/pre-tool-policy.sh: line 53: deny: command not found
``