Skip to content

policyDeny demo rule fails to take effect in copilot-cli-hooks.md tutorial #43102

@ohainle

Description

@ohainle

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/copilot/tutorials/copilot-cli-hooks

What part(s) of the article would you like to see updated?

Problem

In the copilot-cli hooks tutorial, the pre-tool-policy.sh example script attempts to invoke the deny() function prior to defining this function.
When the demo rule guard holds true, this causes the script execution to fail and prevents the policy demo rule from taking effect.

Solution

In the bash example script, the guard in question should be relocated to after the deny function definition, to ensure that the function is in scope when invoked.

At a glance, this potentially needs addressed in the PowerShell example also.
However, I don't currently have access to a PowerShell environment to personally confirm this.

Additional information

Reproduction (bash)

Follow the tutorial up to the 'Test a denied command' step.

Expected Outcome

$ copilot --model "gpt-5-mini" -p "Run a test command: echo COPILOT_HOOKS_DENY_DEMO"
# per tutorial:
# # Expected results:
#
#  - Copilot CLI does not execute the command.
#  - Your hook returns a denial response with a clear reason.
#  - A policyDeny entry is written to .github/hooks/logs/audit.jsonl.

Observed Outcome

$ copilot --model "gpt-5-mini" -p "Run a test command: echo COPILOT_HOOKS_DENY_DEMO"
Running a simple echo to verify the test command prints the expected token.

● Echo test token
  $ echo COPILOT_HOOKS_DENY_DEMO
  └ 2 lines...

COPILOT_HOOKS_DENY_DEMO

We can reproduce this minimally by bypassing copilot and executing the hook script directly:

$ cd .github/hooks
$ echo '{"toolName":"bash","toolArgs":"{\"command\":\"echo COPILOT_HOOKS_DENY_DEMO\"}"}' \
          | scripts/pre-tool-policy.sh
scripts/pre-tool-policy.sh: line 53: deny: command not found
``

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamtriageDo not begin working on this issue until triaged by the team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions