Copilot code review QA controls expanded on July 17, 2026. GitHub now lets teams test review instructions from a pull request’s head branch, prepare a dedicated review environment, and manage network and runner settings separately from the Copilot cloud agent.

What changed

  • Instructions can be validated before merge: Copilot code review now reads copilot-instructions.md, *.instructions.md, agent skills and AGENTS.md from the pull request’s head branch.
  • More instruction files are recognized: GitHub added support for REVIEW.md, GEMINI.md and CLAUDE.md.
  • A dedicated setup workflow: teams can add .github/workflows/copilot-code-review.yml to install dependencies, configure a repository runner and prepare tools used during review. Existing copilot-setup-steps.yml remains the fallback.
  • Firewall enabled by default: network access is restricted during reviews and can be configured independently. GitHub notes that self-hosted runners do not currently support this firewall.
  • Separate organization runner choices: administrators can choose runner types independently for code review and the cloud agent.

Why this matters for QA engineers

QA teams can now treat AI review behavior more like versioned test configuration. A pull request can change a test-review rule and exercise that rule in the same branch, without first placing an unproven instruction on the default branch.

  • Encode checks for missing assertions, flaky waits, weak selectors, test-data leakage and absent negative paths in repository instructions.
  • Use the dedicated setup workflow to make linters, test frameworks or internal validation scripts available to the reviewer.
  • Test instruction changes with seeded pull requests containing known defects, then compare expected and actual review findings.
  • Review firewall exceptions carefully; do not grant broad internet access merely to make a dependency or private tool work.

A practical first test

Create a feature branch that adds one narrow QA instruction, such as flagging Playwright tests that use fixed sleeps. Open a pull request containing both a compliant example and a deliberate violation. Confirm that Copilot applies the head-branch rule, reports the seeded issue, avoids false positives, and still runs with the intended dependency and network restrictions.

Bottom line

This update does not make AI review a replacement for human approval or CI. It does make Copilot’s review environment and QA rules easier to version, validate and govern.

Sources