Tim from the Copilot coding agent team here. We've now disabled these tips in pull requests created by or touched by Copilot, so you won't see this happen again for future PRs.
We've been including product tips in PRs created by Copilot coding agent. The goal was to help developers learn new ways to use the agent in their workflow. But hearing the feedback here, and on reflection, this was the wrong judgement call. We won't do something like this again.
> We've now disabled these tips in pull requests created by or touched by Copilot, so you won't see this happen again for future PRs.
It's appreciated, but these weren't tips, these were ads. Tips are "Save time with keyboard shortcuts" or "Check out the latest features under 'Whats New' in the help menu!" When you name other products, that's an ad.
That doesn't really make sense. So it's an ad for raycast? But raycast said they didn't know about it. To me the explanation makes perfect sense. "You can use this tool with raycast" seems like a very reasonable tip.
> That doesn't really make sense. So it's an ad for raycast?
It's an ad for using CoPilot and for Raycast.
> But raycast said they didn't know about it.
If I buy a billboard that tells people to go eat at a nearby restaurant, that's ad regardless of whether or not the restaurant knows that I bought that ad.
> To me the explanation makes perfect sense. "You can use this tool with raycast" seems like a very reasonable tip.
Raycast is a paid product. Even though they have a free tier, they only have that to get people to use and like the tool enough to pay for it. They want you to use Raycast so you use CoPilot and pay for it. It's an ad.
Anyone claiming this is just a tip is being disingenuous or is extremely naive. MS knows exactly what they're doing, this wasn't a charity offering. Now they're claiming it was a tip to save face.
Tips are also not acceptable to add to PR text. It’s like the definition of a “weed”. A “tip” in the GitHub UI would make sense. But “tips” injected into my own PR text become unwelcome ads. In any case, what may be helpful “tips” today are only a gateway to straight up paid ads tomorrow. After all, I get told all the time by adtech folks that actually, the ads and all the tracking behind them are good because aren’t I glad the ads are relevant to my interests and that I’m supporting small businesses online whose shops can only exist because of the ad infrastructure. To which I say, no, they aren’t, and that’s a lie.
No one, anywhere, ever wants this or anything like it. Do not inject anything that is outside of the context of the session, ever.
This is how you get your software banned at large companies.
Question for you, did anyone on the team really not push back? Does the team really think anyone wants ads in their copilot output? If the answer to both of these is no, you have a team full of yes men, not actual developers.
This is the real question. If they are serious about not doing something like this again, they NEED to look at what process failed and let something like this get proposed, designed, implemented and pushed to production. Usually things get reviewed at each stage. Did the people who pushed back on this get steam rolled? If no one pushed back, that's an even serious culture question and the entire org would need training.
A serious "we won't do it again", needs to be accompanied by a COE on this for identifying what went wrong, and identifying what guardrails can be put in place and then actually implementing them.
That's a tough one. In the big meeting? In the small meeting? "Officially" push back? Encouraged to make the push back unofficial? Etc. Even just internally, it can be hard to quantify. From internal > external, more so.
The number of times I’ve had to defend someone else’s customers let alone my own is exhausting.
And that dynamic is only allowed within close circles.
I’ve found once “the decision” is made, the bigger the subsequent meeting, protests are often swept under the rug.
On most occasions the worst part is that folks intentionally withhold information to get their way. And thats real hard to compete against without making an ass out of yourself, or losing the trust of others.
They’re also developers and probably do care. I’d wager, as always, someone in management with bonus targets to hit probably told them to do it anyway. :/
Having worked in such environments. This particular team will try not to do it again
But many other teams didn't make the commitment or learn any lesson. And even the original team will churn over people and people will forget or new leadership comes in.
I believe they were being sincere but reality is often more complicated than 1 persons statement.
Wait! I think most people missed your "touched by Copilot" disclaimer.
Over on twitter, someone from MS said that Copilot can modify PRs simply because they were mentioned?
I've been using GitHub since it was new and heavily rely on coding agents for development, but that's an insanely large security hole. There's clearly confusion about what copilot is and is not able to edit elsewhere in this thread.
I'm backing up old repos now, and am no longer trusting your service as an archive. I'm wondering if the world needs to fork things like npm and vs code to save itself from the supply chain attacks these sort of product management decisions will enable.
I already moved active development elsewhere when you dropped below three nines back in 2024-2025.
It won’t unless you ask it to. It will review your PRs and it will create PRs if you don’t turn those things off, I believe, but it won’t edit or modify any PR.
My employer pushes copilot quite hard and I’ve never seen copilot do anything without me telling it to act in some way.
> We've been including product tips in PRs created by Copilot coding agent
If the PR is wholly authored by Copilot I get the spirit of this, although maybe not the best implementation. And "tips" like this that look like an ad for a product _definitely_ feel like an enshittification betrayal of the user, even if it was a genuine recommendation and not a paid advertisement.
In the OP's situation, where where Copilot was summoned to fix some thing within a human-authored PR, irrelevant modification of the PR description to insert unrelated content is specifically egregious. Copilot can easily include the tip in its own comment, so I'm curious why it was decided to edit the description of a PR instead.
To be honest, just a user here, it’s only recently (like a week?) you can ask Copilot to edit an existing PR, historically it’s had to open a new one (that merged back to original PR) or it had to make it to begin with, I can see this unintentionally happening as part of this improvement to edit existing PRs
Nah, PR text is a completely inappropriate place for a tip to appear. A PR description should describe the contents of the PR, not include unrelated, unsolicited advice. It’d be like submitting a bug fix, and saying “this PR fixes bug X, and also, have you considered using a different linter in this project?” Completely inappropriate.
(Now imagine this edited into the post you just made for a more-apt comparison)
If you do work at MS, I cannot believe any person involved legit thought it was "just a tip and nobody will mind their posts being edited to include product recommendations". I don't know what other parts of your comment are honest if the core statement is false
You should gather together your team and look through the responses to this thread together. There are a lot of emotions in these comments, but it could be a very constructive experience if you're able to put that aside. I'm sure you're aware that customer-sentiment toward Github has been poor lately, but these commenters are your customers. I believe Github has the potential to win back loyalty, but it will require a deeper understanding of your customer segment.
Sure the decision was they didn't care to prevent things like this, most likely due to either being overworked or just having the typical corporate tech culture of seeing the user as hostile, until public backlash.
MS was deemed a Monopoly I believe around '99 and was not broken up, was instead given behavioral edicts by the court.
Microsoft owns GitHub where many of these ethical violations are easily found and were perpetrated.
I speculate the cultural safety around that monopoly-power for corporate-benefit behavior could still be present and accepted for negotiations between MS and acquisition targets.
Whoever did this must have realised the users will hate it. So… is this just demonstrating that the internal culture emphasises other things than user happiness?
I also note that ”for PRs” - will we see these appearing as comments in generated code?
I know this is not the right place for this but if there's any chance you could send this link to someone internal at Github who knows how to fix this, that would be awesome! https://github.com/orgs/community/discussions/70577
It's only semi-related in that it's a similar string thats appearing in millions of repos due to a Github feature change, but it's now polluting Google search results with tons of duplicate URLs unnecessarily. Issue has 100+ votes but has been entirely ignored by Github team.
We don’t like ads, my man. There are too many MBAs in that company now. MBA holders lose contact with reality about halfway through that degree. Do not listen to them. They will destroy any product they touch if given enough time.
> The goal was to help developers learn new ways to use the agent in their workflow.
I appreciate the rest of your reply, but it would be generous to say you're stretching the truth here. Yes, the official MS statement is that these are "tips", but you, I, and everyone else here knows what this is.
WE won't see it happen again ... UNTIL IT DOES! You guys are disingenuous actors. Bad faith and all that.
See, what I expect is that you or someone on your team will move on internally, and then all promises made will be not just forgotten, but tossed aside with relief. Because this is The Way within MS now. All projects are just fodder for your CV, and when you get that paybump/position you want some other completely unscrupulous actor will join and implement the same. exact. thing.
Edit: Wow this is a shitshow. It's almost like you dumb fuckers have burned up ALL THE GOODWILL YOU HAD LEFT.
You may not want to do it, but will Microslop leadership agree? I don’t think this problem can be solved while leadership is focused only on adding more slop.
Please see https://news.ycombinator.com/item?id=47576084 and please don't post so aggressively. I'm sure you don't intend to, but it has a strong negative effect on HN threads, and we're trying for something different here.
You may not feel you owe $BigCoEmployee better (though chances are, said person is just as much a community member here as you and the other users slamming them are), but you owe this community better if you're participating in it.
GP did not personally attack or denigrate the person they were replying to.
As the dozens of other comments show, the overwhelming majority of us do not believe the root commentors claims, and this PM quite objectively does not have the leverage and authority to back their claim that they won’t let this happen again.
It’s hard not to read your conception of “trying for something different” as granting undue credulity to a transparently dishonest corporate actor.
I understand, and I don't want to see ads in such contexts either. But "nobody believes this" is of course a personal attack, and "you don't have the power to [do what you just said you will do]" is pretty aggressive too.
The impulse to hit back against what is perceived as a "transparently dishonest corporate actor" is natural and human. I feel it also, and in fact my first response when I read such comments is always an adrenaline surge and the peculiar pleasure-hit of righteous indignation. So yes, I know where these feelings are coming from; we all do.
The problem is that in the HN context, (1) there is a human being at the other end of the account being attacked, and (2) there are orders of magnitude more attackers. In practice, this can easily turn into a mob dynamic and in fact a mass beating, if a virtual one. That's bad in its own right and bad for the community here.
I would say that "nobody believes this" would usually be a personal attack by default but when it's followed up with "you do not have the power to prevent it" it's not a personal attack.
> The impulse to hit back against what is perceived as a "transparently dishonest corporate actor" is natural and human.
Honest question: If we agree that the transparent dishonesty and the lynch mob behavior are both undesirable, how do you think the two should be balanced in operative terms?
I don’t want to put words in your mouth — but are you saying you won’t allow direct pushback to dishonest corporate actors??
My view is that healthy discourse requires balance and proportionality: flagrant dishonesty, as is the case here, should license a proportional degree of pushback.
I don’t agree at all that “nobody believes this” is quite the personal attack you’re making it out to be, but I don’t care to debate that at length either.
(1) the long-term health of the community has to be the priority here. Otherwise it won't survive—all the default internet vectors point the other way;
(2) it's possible to push back, express skepticism, etc., in way that respects the person on the other side of the conversation and isn't just venting the impulse to shame the other.
You guys (<-- by which I really mean all of us in this community) need to remember that you're not just addressing a $BigCo abstraction when you post replies to someone else's comments. You're talking to an individual human. Sure, they may be working for a large and powerful company; but in the HN context the power dynamic is actually quite the reverse. If you put yourself in their shoes for a minute, it shouldn't be so hard to recognize that.
Like I said upthread, I agree with you on the underlying issue. But we also have to preserve the container, and the latter has to take precedence.
At the end of the day, if you want intellectual curiosity and openness, bad-faith dishonesty needs to be weeded out; thought-provoking and honest conversation should be promoted, regardless of where the contributor is employed.
The problem isn’t working for Microsoft. The problem is dishonesty.
You’re treating the root comment with kid gloves because it’s from a Microsoft employee. Please don’t do that.
Internet commenters massively over-attribute "bad-faith dishonesty" to others while denying it in themselves. There's enough bad faith to go around in all of us.
It's obvious that the dominant variable in the GP was that he was replying from within $BigCo. Your comment starts out by denying that and ends by confirming it.
I'm not asking for special treatment for anyone, but the opposite: I don't anyone on HN to be the target of a mob. That's the entire point.
Internet or not, I post under my real name on here, and I fully stand by my words. Anything I say on here, I’m 100% willing to say to someone’s face. We can link up for coffee or a beer next time I’m in CA if you’d like, and I’ll prove it.
The root comment is an aggressive affront to the audience’s collective intelligence. You’re in full “rules for thee; not for me” territory, and undermining your own site guidelines if you wanna let the root comment stand unchecked but go after the rightful callouts, in my book.
I'm sure there was push-back, but only inside the minds of the rank-and-file. Nobody would have dared to actually speak out against it, as it would be career limiting. That's probably how a lot of these boneheaded decisions happen: It's an Emperor's New Clothes situation, nobody speaks up, and then the emperor is satisfied that the decision is great.
Hi Tim, it's Jim, your manager. Please stick to the officially released statement:
"We tried to put ads in our product and it made people upset, upon realizing that this has angered our already paying users, we realize we should try again in a month. We're also aware GitHub is down, and are doing our best to deliver you a single 9 of reliability"
This helps us establish a strong, cohesive brand image inline with what customers of GitHub expect.
---
Edit: I don't mean anything bad to Tim here, seems like a nice guy with good technical experience, etc. Rather, I'm expressing the almost comical extent to which I and - to the best of my understanding - many other community members see GitHub in a very negative light now, being unreliable and, as the article points out, enshitified. So, this is at GitHub, Not Tim, it's just addressed to him for the bit.
Tim, I do actually appreciate you responding to this thread and if you do have the power to make things better, using that power to do so.
This feels a bit threatening. Just want to call it out. I also disagree with the decision but I respect that someone came forward and took responsibility. That helps build our shared understanding of what happened. It’s hard and not something we should discourage.
Please don't attack people for showing up to engage in discussion like this. I'm sure you don't intend to, but it quickly becomes part of mob behavior. We don't want that on HN for obvious reasons, and I'm sure nobody intends it, exactly, but it happens all too easily anyhow.
I appreciate the reply. As mentioned, it happens unintentionally. One way to describe the (desired) HN community is everyone learning together how to avoid unintended effects.
The behavioral impositions by the court in the United States versus Microsoft trial discourage it from Monopoly behavior by opening third-party apis to competitors.
Q: Will Microsoft share its access to users private repos where they have not opted out of this training via its GitHub subsidiary, with third parties (eg OpenAI and Anthropic), in the spirit of its loss to the United States during its trial for Monopoly behavior?
Eg ethically today, Microsoft may be able to be argued to be monopolizing user data for its own AI tooling advantage.
Why such strong opposition to getting user consent before doing any of this? Not respecting consent seems to be a very common theme with MS these days, and it really doesn't reflect well on the company or you personally.
What am I supposed to opt out of? The only setting in "Privacy" is "Suggestions matching public code" which is blocked and seems wholly unrelated to this.
Yes or No: Hypothetically I put customer data in a private repo, a single file. I use copilot to analyze the file, submitting its contents to that backend. This is the only thing in the repo. Is that data collected and trained on? If the answer is not no, you are lying about what this opt in is.
IANAL I wonder how that is legal in the EU, at least for private individuals, since under the GDPR you need consent for collecting such data. (A timed opt-out is not consent.)
I’ve felt similarly about moving off GitHub. I bought a small 5U server rack years ago for my home network setup.
I’m considering getting a 1U device to host my own git server. I feel like if I move off, I should do it generally vs just moving to another provider who may also pull shenanigans.
i had a gitea instance in a beaglebone black! Self hosting can have really low requirements (now it's a much beefier banana pi R3 router, but there are many containers running on it)
> Reviewing AI output all day without the dopamine of creation is not a sustainable job description.
I agree that reducing engineers’ careers to code review will lead to burnout (amongst other problems).
But I think the reason we’re headed in this direction is precisely because creating with AI /can/ deliver “the dopamine of creation”.
It doesn’t deliver that hit for everyone - but it does for the half of engineers who are more excited about building new things than the act of coding.
Teams build more and ship faster because it’s so much easier to do that with AI - and it’s fun - and that leads to increased review load.
That would be the normal pattern. But you could certainly stop after the LLM picks the tool and provides the arguments, and not present the result back to the model.
The travel agency is the one that collects your personal information - but it (unsurprisingly) immediately passes just about everything to the airline: name, date of birthday, phone number, email etc.
In general, the airline won’t get your payment details though.
How? There are two setups, either you book with an agency, which then forwards your data to the airline, or you book directly with an airline. In both cases, you have a more or less fixed amount of data collected, due to legal requirements. But the agency will usually act as a proxy, only forwarding the absolute necessary information, and using some on their own (like form of payment or contacts), often even send replacement-data or their own to the airline.
So it's absolutely true that in certain common setups, the airline is not the one collecting and holding most information. But, this comes with the price that more parties are holding your information.
And agencies are often going through a CRS or even through a middleman to the CRS, not booking directly with the airline, so there is a good chance of a third or even fourth party also holding your information. Though, technically this can also depend on the agency, airline and type of flight. With Charter- and Lowcost-flights it can happen that the agency is going directly to the airline, hacking their way around the airlines' website. But this is getting shoot down in the last years but those airline, and not obvious from the outside.
Oh, and historically speaking, it used to be that agencies were often collecting more personal information than laws demanded, while airlines went with the absolute necessary stuff. So maybe the article was meaning this aspect too.
GitHub PM here. We have tried this, but we weren't able to get results that we were satisfied with. Of course, you have to revisit these things regularly, as the models and wider state of the art are evolving so quickly!
Tim from the GitHub Copilot coding agent product team here!
@artdigital is on the money here. Our quick tip for beginners is to use `copilot-instructions.md` (which we can now generate for you <3), but for more serious use, we'd strongly recommend adding `copilot-setup-steps.yml`.
That gets you a deterministic setup - and for many teams, it'll be easy, as you can just copy and paste from existing Actions workflows.
Our asynchronous coding agent can run Docker in its GitHub Actions-powered development environment - for example it could start a Dockerized web server.
Always was. Its telling that they think that they were not previously subject to EU laws when their EU subsidiary did business with someone located in the EU.
At the moment, we're using Claude 3.7 Sonnet - but we're keeping our options open to experiment with other models and potentially bring in a model picker.
(Source: I'm on the product team for Copilot coding agent.)
I was trying to find information on this on the internet and couldn't find any, thanks for providing. Interestingly enough Copilot coding agent on github.com repeatedly could not complete css changes correctly, when I switched to Agent mode in the project IDE with Claude 3.7 it was able to complete it in one round, so I assumed that there was a different model.
In my experience using Claude Sonnet 3.7 in GitHub Copilot extension in VSCode, the model produced hideously verbose code, completely unnecessary stuff. GPT-4.1 was a breath of fresh air.
We've been including product tips in PRs created by Copilot coding agent. The goal was to help developers learn new ways to use the agent in their workflow. But hearing the feedback here, and on reflection, this was the wrong judgement call. We won't do something like this again.
reply