The Week Security Got Runtime Context
This week GitHub shipped something I didn't expect to see this fast: code-to-cloud correlation at GA. Microsoft Defender for Cloud integration is now generally available, connecting your source code to what's actually running in production. That's not just another security dashboard—it's runtime-aware filtering across GitHub Advanced Security alerts.
But the bigger news for most teams is billing. Starting June 1, GitHub Copilot code review will consume Actions minutes from your org's plan. If you've been treating code review as "free" beyond your Copilot subscription, that assumption just expired.
Code-to-Cloud Correlation: What Actually Shipped
The Microsoft Defender integration does something genuinely useful: it correlates container images running in your cloud environments back to the GitHub repos that built them. Defender uses signals like GitHub artifact attestations plus its own runtime intelligence to map deployed workloads to source code.
Once that link exists, you get runtime context on your security alerts. Is this vulnerable dependency actually deployed? Is it internet-exposed? Processing sensitive data? These aren't hypothetical questions anymore—the answers show up as filters in your GitHub Advanced Security alert views:
-
has:deployment— focus on what's actually running -
runtime-risk:internet-exposed— prioritize what attackers can reach -
runtime-risk:sensitive-data— protect what actually matters
This applies across code scanning, Dependabot, and security campaigns. I've written before about how context engineering drives AI productivity—this is context engineering for security teams. The alert noise drops when you can filter by "deployed and exposed" vs "in the codebase somewhere."
The Actions Minutes Reality Check
Late last month GitHub announced what many teams missed: Copilot code review will start consuming GitHub Actions minutes on June 1. This applies to private repos only—public repos stay free—but if you're on Copilot Pro, Business, or Enterprise and running code reviews on private code, your Actions budget just got tighter.
The architecture behind this makes sense: Copilot code review runs on agentic tool-calling infrastructure that executes on GitHub Actions runners. Those runners cost minutes. A typical code review consumes 2-6 Actions minutes; heavy reviews (large diffs, full context) can hit 15 minutes.
What you need to do before June 1:
- Check your current Actions usage in billing settings—do you have headroom?
- Review your spending limits. Set budgets if you haven't already.
- Decide if larger runners or self-hosted runners make sense. Self-hosted runners don't consume Actions minutes from your plan.
- Share this with your billing admin. This isn't a trivial line item if your team merges 50+ PRs a week.
GitHub also reminded everyone that Copilot usage is moving to usage-based billing with AI Credits on June 1. Code review will be billed in two ways: AI Credits for token consumption, plus Actions minutes for the infrastructure. If you're still on an annual plan, model multipliers are changing June 1 as well. The billing preview tools went live in early May—use them.
Cloud Agent Gets 20% Faster (Again)
GitHub squeezed another 20% startup improvement out of Copilot cloud agent last week, thanks to Actions custom images. The agent now spins up faster when you assign it an issue, start a task, or mention @copilot in a PR.
This builds on the 50% improvement shipped in March. The feedback loop between "I need the agent to do this" and "the agent is actually working on it" matters more than most teams realize. If it takes 90 seconds for Copilot to start, developers context-switch. At 20 seconds, they wait. Speed compounds.
The mechanism is straightforward: GitHub prebuilds the runner environment with custom images, cutting down on package installs and dependency downloads. If you're running cloud agent tasks frequently, this adds up fast.
Model Deprecation: GPT-5.2 and GPT-5.2-Codex Exit June 1
GitHub announced that GPT-5.2 and GPT-5.2-Codex are being deprecated across all Copilot experiences on June 1. The exceptions: GPT-5.2-Codex stays available in Copilot Code Review.
Suggested alternatives:
- GPT-5.2 → GPT-5.5 (already GA)
- GPT-5.2-Codex → GPT-5.3-Codex
If you're a Copilot Enterprise admin, check your model policies now. Users need access enabled for the replacement models, or they'll lose access when the cutover happens. No action is required to remove the deprecated models—they'll just disappear from the picker on June 1.
This is part of the broader model rotation GitHub's been doing. GPT-5.5 hit GA last month. The shift toward usage-based billing with model-specific credit multipliers means the model you pick directly affects your bill. Frontier models consume more credits per interaction than lightweight models. If you're burning through your included usage, start routing routine tasks to cheaper models.
The Bottom Line
The Defender for Cloud integration signals where GitHub is heading: security tools that understand what's actually deployed, not just what exists in your repo. That's the kind of context filtering that makes security campaigns actionable instead of aspirational.
But the billing changes are what most teams will feel first. Copilot code review consuming Actions minutes is a real cost increase for orgs with tight Actions budgets. Self-hosted runners or larger runners with custom images might be worth the setup cost if you're running hundreds of reviews a month.
June 1 is shaping up to be a significant transition date: usage-based billing goes live, model deprecations take effect, code review starts charging Actions minutes, and model multipliers change for annual plan holders. If you haven't audited your Copilot usage and Actions consumption yet, this week is the time.
GitHub's making the agent infrastructure faster and more context-aware. But they're also making it clear that agentic workloads aren't free—they're compute, and compute costs money.
Top comments (0)