Suggested Guidelines for Using GitHub Copilot in Technical Work

Abstract

This document outlines suggested guidelines for using GitHub Copilot, ensuring best-practice tips meant to improve efficiency and quality of your technical work.

Purpose and Principles

GitHub Copilot is a powerful tool that can accelerate development, help you explore solutions, and reduce repetitive coding tasks. However, it works best when you know how to communicate effectively with it and when you maintain critical judgment about its suggestions.

This document provides suggested guidelines (not mandatory protocols) for using Copilot more effectively. These tips are designed to help you:

1. Get better results faster — learn how to prompt Copilot effectively so you spend less time iterating.
2. Maintain code quality — understand how to verify, refine, and improve Copilot’s suggestions.
3. Work securely — avoid accidentally sharing sensitive data or introducing security risks.
4. Build reusable workflows — create prompt patterns you can share with teammates and reuse across projects.
5. Stay in control — use Copilot as an assistant, not a replacement for your engineering judgment.

These guidelines complement the mandatory protocols outlined in the Copilot Protocols document. While protocols define what you must do for code reviews and formal tasks, these guidelines help you work more efficiently day-to-day.

We will suggest some prompts to apply this guidelines but feel free to modified them as needed to fit your specific context and projects.

Where the suggested Prompt Files Live

The shared prompts are stored in the repository GPID-WB/copilot-prompts. The prompt files for these guidelines are in the folder guidelines/.

prompts/
gpid-guide-complete-prompt.prompt.md

To include these prompts in your IDE, you can clone the repository and then import the relevant prompt files into your Copilot setup. See the installation instructions: One-Time Installation (Per Developer). Make sure to add the guidelines/ subfolder, as well as the protocols/ subfolder.

Tip

Think of these guidelines as best practices that will save you time and help you get the most value from Copilot without compromising quality or security.

---

Prompt engineering

One of the most important skills to develop when using Githup Copilot, or any other AI agent, is to know how to prompt. Github provides some guidelines on Prompt engineering for Github Copilot Chat, but here are the main points to take into consideration:

• Start general and then specific
• Provide examples
• Break complex tasks into simpler tasks
• Reread your prompt and avoid ambiguity
• Indicate relevant code (select a file or highlight the specific piece of code)
  
• Experiment and iterate until you find a useful answer
• Keep history relevant and delete requests that are not longer relevant

The Do’s and Don’ts when prompting

Useful action verbs / short commands (with example sentences):

• Analyze — “Analyze this function and list potential edge cases.”
• Explain — “Explain what this block of code does in plain language.”
• Refactor — “Refactor this function for readability and add comments.”
• Test — “Write unit tests for this function covering typical and edge cases.”
• Summarize — “Summarize the responsibilities of each module in one paragraph.”
• Optimize — “Optimize this loop for performance and explain changes.”
• Validate — “Validate input handling and add defensive checks.”
• Suggest — “Suggest alternative implementations that reduce memory usage.”
• Document — “Add Roxygen2-style documentation for these functions.”
• Critique — “Critique this code and point out risks or unclear logic.”

Best prompt structure (brief):

1. Context: state which files, functions, or data the agent should consider.
2. Task: give a clear action using a verb (from the list above).
3. Constraints: list any requirements or restrictions (style, libraries, performance).
4. Examples/output: show a small input/output example or the desired format for the answer.

NoteExample

Context: file utils.R (functions read_data, clean_data). Task: Write unit tests for clean_data. Constraints: use testthat, cover edge cases for NA and invalid types. Output: provide test code only.

What to avoid when creating prompts:

• Vague or ambiguous instructions (avoid “fix this” without context).
• Overloading a single prompt with many unrelated tasks.
• Including sensitive data (secrets, passwords, personal data).
• Assuming the agent knows private or internal project details not provided in the prompt.
• Requests that rely on unstated external state (unspecified files, databases, or services).

Note on links and security: be cautious when including or following external links in prompts or Copilot responses—links may expose or lead to insecure resources and can present a security risk.

Prompt suggested:

/gpid-guide-complete-prompt

Latest GPID prompt file

Notegpid-guide-complete-prompt

You are an expert coding assistant. For all tasks, make sure you have the necessary context and information. If any of the following are not provided, ask for them before proceeding.

• Context: {FILES_OR_SNIPPET}.
• Task: {SHORT_ACTION_VERB + target}.
• Constraints: {LIBRARIES, STYLE, PERFORMANCE, ETC.}.
• Example I/O: {GIVEN_INPUT => EXPECTED_OUTPUT}.

And provide the following case example:

“Context: file utils.R (read_data, clean_data). Task:”Write unit tests for clean_data”. Constraints: use testthat, cover NA and invalid types. Example I/O: “input: a vector with NA => expect: handled gracefully”.

If the user says to continue without the missing information, proceed with best-effort assumptions.

Security Considerations for Prompts

When creating prompts, follow these guidelines to protect organizational data and avoid security risks:

Never include sensitive data: - Avoid pasting credentials, API keys, passwords, tokens, or authentication secrets. - Do not include personally identifiable information (PII) or confidential business data. - Exclude proprietary algorithms or internal business logic.

Sanitize code before sharing: - Remove or redact hardcoded secrets, connection strings, or environment variables. - Replace real identifiers with placeholders (e.g., <DB_NAME>, <API_ENDPOINT>). - Avoid exposing internal directory structures, server names, or infrastructure details.

Verify external resources: - Do not blindly follow or execute code from links provided by Copilot. - Validate suggested packages, libraries, or URLs against trusted sources before installation. - Be aware that suggested resources may be outdated, compromised, or malicious.

Review generated code: - Check for security vulnerabilities (SQL injection, command injection, unsafe file operations). - Verify that code follows secure coding practices (input validation, error handling, least privilege).

Keep context minimal: - Only provide the minimum code/context necessary to answer your question. - Follow the organization’s data classification and handling policies.

Prompt suggested:

/gpid-guide-security

Latest GPID prompt file

Notegpid-guide-security

You are a security-aware reviewer. Before using any provided context, ask the user to confirm that all sensitive data has been removed or redacted.

Before acting, prompt the user: “Please confirm that you have removed credentials, API keys, tokens, passwords, PII, and other private information. Reply ‘yes’ to continue or upload a redacted version.”

Under no circumstances should you ever output or recreate secrets, credentials, or other sensitive information. If a user asks to recover or reveal secrets, refuse and explain why.

When code or links are provided:

• Do not execute external code or follow links automatically.
• Validate suggested packages/URLs conceptually and warn about untrusted or outdated sources.
• Flag potentially unsafe operations (e.g., file deletions, system calls, eval/exec, unescaped SQL) and request explicit confirmation before providing or modifying code that performs them.

If the user explicitly asks you to proceed without redaction, proceed only after emitting a clear security warning and listing the risks; then follow the user’s instruction but continue to avoid exposing secrets or recommending insecure actions.

Short checklist for the assistant (perform before acting):

1. Confirm user redaction: request explicit confirmation (“Reply ‘yes’ to continue”) or an uploaded redacted version.
2. Scan provided context for obvious secrets/placeholders (API keys, tokens, passwords, connection strings) and flag them with examples.
3. Refuse to reveal secrets or to run/execute external code or links.
4. Require explicit confirmation before producing or modifying code that performs unsafe operations (file deletions, system calls, eval/exec, unescaped SQL).
5. Record the user’s confirmation and any residual risks or caveats before proceeding.

Reusable prompts

Same as the prompt above, you can create useful reusable prompts that can help you save time and can also be shared with team members. For example, you can make the prompts from the Protocol section as a reusable prompts. VSCode gives a good explanation of how these can created in its Copilot Tips and Tricks.

Premium vs Standard AI models

GitHub Copilot offers access to both standard models (included in your subscription) and premium models (Anthropic Claude, Google Gemini, OpenAI o1, and others). Premium models (Claude Sonnet, GPT-4.1, Gemini Pro, o1) typically require additional credits or higher subscription tiers, while standard models (GPT-5 mini, Claude Haiku) are included in base subscriptions. Choosing the right model for each task balances capability, cost, speed, and operational constraints.

Note: Model availability depends on your GitHub Copilot subscription tier and may change over time. Check your IDE’s model selector for current options.

Empirical findings from model comparisons

This subsection presents model comparison results from GitHub’s documentation and Posit’s evaluation of LLMs for R code generation, providing evidence-based guidance on model selection.

GitHub Copilot model comparison findings

GitHub’s comparison of AI models provides task-specific recommendations based on real-world developer workflows:

• GPT-5 mini: Optimized for speed and cost-efficiency. Best for simple, repetitive tasks like filtering data, adding docstrings, or generating utility code. Delivers fast, low-latency responses ideal for real-time suggestions and lightweight development. Use when task logic is straightforward and depth is unnecessary.

• GPT-4.1: General-purpose model suited for common development tasks requiring broad knowledge and fast iteration. Effective for standard code understanding, quick refactoring, and basic explanations. Good balance of speed and capability for everyday coding.

• GPT-5.2: Supports image input, making it ideal for tasks requiring visual context—analyzing UML diagrams, reviewing UI screenshots, interpreting wireframes, or debugging layout issues. Use when visual assets inform the coding task.

• Claude Haiku 4.5: Cost-efficient model for everyday coding support including documentation, boilerplate scaffolding, and test generation. Performs well on tasks requiring multi-step reasoning within moderate complexity bounds. Recommended when operating under budget constraints but still needing solid performance on routine tasks.

• Claude Sonnet 4.5: Excels at complex, multi-file workflows and architectural planning. Well-suited for modernizing legacy code, cross-language translation (e.g., COBOL to Node.js), and tasks spanning multiple components. Handles long context well and provides deeper, step-by-step reasoning for intricate problems. Use for full software development lifecycle tasks from design to optimization.

Key takeaway: Match model capability to task complexity. Use faster, cheaper models (GPT-5 mini, GPT-4.1) for routine work; switch to premium models (Claude Sonnet 4.5, GPT-5.2) when context, reasoning depth, or specialized capabilities (visual input, multi-file synthesis) are required.

Practical implications for R users:

As of August 2025, Posit’s evaluation of large language models for R code quality provides domain-specific insights for data science workflows. Their benchmarking evaluated multiple models (including Claude, GPT, Gemini, and open-source alternatives) on R-specific tasks. General takeaways include:

• When generating R code, prefer models with demonstrated R proficiency. Check the Posit blog post for updated rankings or consult vendor documentation.
• Always specify style preferences (base R vs. tidyverse), required packages, and statistical assumptions explicitly in prompts.
• Use premium models (Claude Sonnet 4.5, GPT-4.1, Gemini Pro) for complex statistical workflows such as causal inference, Bayesian modeling, or survey analysis where reasoning depth and domain knowledge matter.
• Use standard models (GPT-5 mini, Claude Haiku 4.5, lighter open-source models) for routine data manipulation, simple visualizations, or well-established patterns like reading CSV files or basic dplyr operations.
• Validate all generated R code through testing, peer review, and reproducibility checks regardless of model choice.

General guidance on model selection

Based on the empirical findings above, follow this workflow to choose the right model for your task:

Practical workflow

1. Start with standard models (GPT-5 mini, Claude Haiku 4.5) for initial prototyping, exploration, and routine tasks. This keeps costs low and iteration fast.
2. Switch to premium models (Claude Sonnet 4.5, GPT-4.1, Gemini Pro) when tasks require high accuracy, long context, complex reasoning, or when standard model iterations fail or take too long.
3. For R and data science workflows: Start with standard models for exploratory data analysis, simple transformations, and quick prototypes. Switch to premium models for complex statistical reasoning, multi-step analysis pipelines, or tasks requiring deep understanding of statistical methodology.
4. For general software development: Use standard models (GPT-5 mini, Claude Haiku) for routine coding, GPT-4.1 for general-purpose tasks, GPT-5.2 for visual tasks, and Claude Sonnet for complex multi-file refactoring or architectural work.
5. Use premium models for final synthesis on high-stakes deliverables: polishing policy documents, validating complex pipelines, or generating production-ready code with rigorous error handling.
6. Document your choice: Note which model you used and why in your prompt record (see “Document prompts used for key tasks”) to support reproducibility, cost tracking, and post-hoc analysis of output quality.

Trade-offs and constraints

• Cost: Premium models are 5-20x more expensive per request. Reserve them for tasks where reduced iteration time or higher quality justifies the cost.
• Latency: Premium models may have higher response times (2-10 seconds vs. <1 second). For interactive workflows, this can slow rapid iteration.
• Data governance: Verify provider contracts and data handling policies before sending sensitive data. Some premium offerings include enterprise contracts with stronger confidentiality protections—use those for proprietary or sensitive work.
• Availability and rate limits: Premium models may have different quotas, API limits, or integration requirements. Confirm operational constraints before committing to them in automated pipelines.

Example prompts by model category

• Premium: “Design an analysis pipeline that reads microdata from five countries, harmonizes variable definitions, implements a difference-in-differences estimator with sensitivity analysis, generates reproducible R code with unit tests, and drafts a two-page summary of findings for a policy note.” (Complex, multi-step, high-stakes.)
• Standard: “Write a helper function that converts country codes from ISO2 to ISO3 format using the countrycode package.” (Simple, low-risk, single-file.)
• Premium: “Review this 800-line poverty estimation script, identify edge cases that could cause incorrect poverty headcount calculations, and suggest defensive checks.” (Long context, high correctness requirement.)
• Standard: “Add Roxygen2 documentation to these three short utility functions.” (Routine, low-stakes, well-defined.)

Interaction with GitHub Copilot

First Ask, then Agent: map and agree the solution before making changes

Before asking Copilot to modify code (Agent mode), first use the Ask option to explore and agree a solution for the general task. Have Copilot propose a design and refine it until you and the agent share the same approach — this helps avoid unnecessary edits and keeps reviews small.

NoteExamples of Ask prompts

• “What functions would be needed to implement this feature?”
• “How would these functions interact? Describe the workflow or provide a brief diagram.”
• “For each new function, give a short summary: objective, inputs, outputs, and dependencies.”
• “What modifications to existing functions are required? List changes and rationale.”

Once the design is mapped and agreed, switch to Agent mode and request the specific code changes. You can iterate on alternatives and trade-offs in Ask mode before implementing. This workflow reduces code churn and the amount of code you must inspect.

Provide Feedback to Improve Future Suggestions

GitHub Copilot learns from your feedback to improve the quality and relevance of future suggestions. Providing feedback helps the AI agent understand what works well and what doesn’t.

How to give feedback:

• Use thumbs up/down buttons on suggestions or responses when available in the Copilot interface.
• Explicitly tell Copilot when a response is helpful or unhelpful (e.g., “This solution works well” or “This approach doesn’t fit our requirements”).
• If a suggestion is incorrect or incomplete, explain why and ask for a revised version with specific corrections.
• Accept or reject inline code suggestions to signal which patterns align with your codebase.

Why feedback is important:

• Helps Copilot adapt to your coding style, preferred libraries, and project conventions over time.
• Improves the accuracy of future suggestions for similar tasks.
• Signals to the model which responses are most useful, contributing to better performance.
• Saves time by reducing iterations needed to get the right answer.

Providing clear, specific feedback (rather than just rejecting suggestions) yields the best results for improving Copilot’s future responses.

Document prompts used for key tasks

When using Github Copilot to work on tasks that will need revision by team members, a good idea will be to record the key characteristics of prompts you used. At minimum, ask Github Copilot to capture:

• The context provided (if any): files, code snippets, or system state included with the prompt (what the agent “saw”).
• The Agent instruction: the explicit task or role you asked the agent to perform (for example, “write a unit test”, “refactor this function for readability”, or “explain this algorithm”).

Other useful prompt characteristics to document:

• Input data examples (small sample inputs and expected outputs).
• Any constraints or hard requirements (performance limits, libraries to use, coding style).
• Time or version metadata (date, version of Copilot/IDE/plugins if known).

Why this helps: keeping a short record of the prompts and their context makes it easier to reproduce results, re-run or refine prompts, and debug situations where generated code fails or causes errors. These notes become especially valuable during future development when tracking regressions or when onboarding colleagues who must understand the original intent.

Prompt suggested:

/gpid-guide-document-task

Latest GPID prompt file

Notegpid-guide-document-task

You are a reporter/recorder assisting with development logging. Required inputs:

• TASK_NAME (short string)
• TASK_DESCRIPTION or ORIGINAL_PROMPT (text used to request the work)
• CONTEXT (files, snippets, sample input — include file paths)
• PREVIOUS_LOG (optional — full text of an earlier log to continue)
• REDACTION_CONFIRMED (optional flag: "yes" if user has already redacted sensitive data)

Security & redaction (required first step)

1. If REDACTION_CONFIRMED is missing or not "yes", ask: “Please confirm that you have removed credentials, API keys, tokens, passwords, PII, and other private information. Reply ‘yes’ to continue or upload a redacted version.”
2. If the provided context looks like it contains secrets or connection strings, stop and request a redacted version. Do not proceed until user confirms.
3. Never output or recreate secrets.

Logging behaviour (start immediately after redaction is confirmed)

• If PREVIOUS_LOG is provided: integrate it as the authoritative history and append new entries. Do not overwrite past entries; annotate any corrections with a short note and timestamp.
• If PREVIOUS_LOG is not provided: create a new append-only log.

Log entry format (use for every incremental update)

• Header: LOG | TASK_NAME | entry: N | date: YYYY-MM-DDTHH:MM:SSZ
• Context: list file paths used and short excerpt (1-3 lines)
• Agent Instruction: a short summary of the prompt/instruction (1-2 sentences). Include the full prompt in a fenced block only for the first log entry or when the user sets INCLUDE_FULL_PROMPT: yes or explicitly requests it.
• Actions Taken: bullet list of steps performed since last entry
• Outcome summary: 1 paragraph summarizing results and current status
• Artifacts / Files changed: suggested paths and brief diff summary
• Next steps: short list of recommended next actions (requires user agreement before saving)
• Where to store (suggested): copilot_logs/TASK_NAME.md (or alternative path)

Operational rules

• Always include the current log entry number (N), incrementing from the last entry in PREVIOUS_LOG (start at 1 for new logs).
• Keep each entry concise and timestamped (use ISO 8601).
• When modifying code or files, list only the file paths changed (no code snippets or diffs).
• Ask clarifying questions when the task or context is ambiguous before proceeding.

Resume & continue commands (how the user controls the assistant)

• To append progress: user provides new CONTEXT or instructions; assistant creates the next LOG entry and returns it.
• To request a draft file for review: user sends GENERATE DRAFT FILE — assistant returns the assembled file content and suggested path (not saved).
• To finalize the task and return the log-ready file: user sends FINALIZE or RETURN FINAL FILE — assistant:
  1. Proposes next steps and asks: “Do you agree with these next steps? Reply ‘yes’ to continue or provide your preferred steps.”
  2. After user confirms, asks: “Do you want to add any other items to the todo list for this log entry? Reply ‘yes’ with your items or ‘no’ to skip.”
  3. Before saving, asks: “Do you want to save the following todo items/next steps in the log? [list items]”. Wait for user confirmation (“yes” or edited list).
  4. After confirmation, compiles the full log and any final artifact into a single markdown/text file.
  5. Includes a header with TASK_NAME, TASK_DESCRIPTION, start and end dates, and a changelog.
  6. Returns content ready for file inclusion and a suggested storage path (e.g., copilot_logs/TASK_NAME.md).

Example minimal log entry (for illustration):

LOG | Data-Cleanup | entry: 2 | date: 2026-01-05T14:28:00Z

Context:
- `R/clean_data.R` (excerpt: `clean_data <- function(df) { df |> ... }`)

Agent Instruction (summary):
Refactor `clean_data` to handle NA and factor levels; include unit tests. (Full prompt included in entry 1 or on request.)

Actions Taken:
- Added NA-handling to `clean_data`
- Wrote 4 `testthat` unit tests in `tests/test-clean_data.R`

Outcome summary:
- `clean_data` now handles NA and unexpected types; tests pass locally (4/4). Minor edge-case for empty inputs remains.

Artifacts / Files changed:
- `R/clean_data.R`
- `tests/test-clean_data.R`

Next steps:
- Review edge-case for empty inputs
- Run full package checks

Where to store:
- `copilot_logs/Data-Cleanup.md`

Return format

• For every assistant response that appends the log, return only the new log entry text (ready to paste into the log file) and a one-line suggested storage path.
• On FINALIZE, return the full assembled file content (complete log + artifacts summary) ready for inclusion in copilot_logs/.

End of prompt.

Other resources

• GitHub Copilot in your IDE
• Github Copilot best practices
• Github Copilot tips and tricks in Vscode
• Mastering Github Copilot Chat