GitHub's Copilot Code Review just admitted what the data already said

GitHub shipped three changes to Copilot Code Review on June 2: Agent Skills, MCP server connections, and a Medium analysis tier. Each one is GitHub admitting something specific about the previous version.

What shipped#

Agent Skills. Teams now create a .github/skills/code-review/SKILL.md file in the repo. Copilot Code Review reads it on every PR and applies the team's naming conventions, architecture rules, and security patterns. The mechanism is a checked-in markdown file that Copilot treats as ground truth.

MCP server connections. Once configured, Copilot Code Review pulls context directly into the review from third-party platforms and internal systems, including issue trackers, documentation, service catalogs, and incident tooling.

Medium tier. A new analysis tier routes pull requests to a higher-reasoning model for "deeper analysis of complex logic, security-sensitive code, and cross-service changes." GitHub's stated reason: the standard tier produced too many false positives and missed subtle bugs.

All three are in public preview for Pro, Pro+, Business, and Enterprise subscribers.

What each change admits#

The existence of Agent Skills admits that generic AI review without team context produces output your team will ignore. SKILL.md is the patch for a tool that flagged style without knowing the style.

MCP integration admits that the PR diff is not enough signal. A reviewer needs the issue that motivated the change, the runbook that documents the service, and the postmortem that explained the last incident. The original Copilot Code Review tried to reason about a 200-line diff with none of that. The new version reads from the same systems a human reviewer would consult.

Medium tier admits that the default reviewer was insufficient on the categories that matter most: security and cross-service logic. Routing those PRs to a different model is GitHub's response to its own product missing things.

The circular blind spot#

Copilot Code Review is from the same model family that wrote the PR it is reviewing. When a developer ships a hardcoded secret using Copilot Chat, the chance Copilot Code Review flags that secret on the PR is structurally lower than an independent reviewer's chance. The model has already internalized "this pattern is acceptable" because it produced the pattern.

Agent Skills does not solve this. SKILL.md tells the reviewer what to look for. It does not tell the reviewer that its own training data is the source of the problem.

MCP does not solve this either. Pulling in incident reports gives the reviewer richer context. It does not change which model is doing the reading.

The Medium tier moves to a higher-reasoning model from the same family. The blind spot persists at lower probability.

The only structural fix is a reviewer trained or configured independently of the author. Independence in this context is not a marketing word. It is a property of which weights produced the diff and which weights are reading it.

What this changes for engineering teams this week#

SKILL.md is now a checked-in artifact in your repository. It carries instructions the reviewer will follow. Treat it the way you treat CI configuration: code review the changes, restrict who can edit it, version it explicitly.

MCP-connected reviewers can pull from systems that contain customer data and credentials. Confirm what the configured MCP servers expose before turning the integration on. The default in GitHub's docs assumes a permissive environment.

The Medium tier costs more compute per review. Tracking which PR categories trigger it will surface where the standard tier is silently undershooting.

For PRs that pass Copilot Code Review and still ship with issues, the remaining gap is independence. A review by a different model family on the same diff catches a class of failure that same-family review cannot see.

Hyrax handles every PR, every commit, from a model independent of the editor that produced the change. More on the review-the-reviewer problem is at hyrax.dev.