fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set

[Copilot]

Fixes Copilot CLI + non-Copilot Provider BYOK break introduced in #4588 - when specifying COPILOT_PROVIDER_BASE_URL you SHOULD be able to choose a model even if deprecated.

Note: Alternative implementation could check specifically if COPILOT_PROVIDER_BASE_URL is set to CAPI, but this is arguably unnecessary as COPILOT_PROVIDER_BASE_URL and detecting CAPI url formats is potentially error-prone.

[manamansor]

DONE

[github-actions]

GitHub API: ✅ PASS
GitHub check: ✅ PASS
File verify: ✅ PASS

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[Copilot]

Pull request overview

This PR updates CLI config validation to avoid rejecting retired/unsupported COPILOT_MODEL values when the user is routing Copilot through a non-default provider endpoint (via COPILOT_PROVIDER_BASE_URL / model router), restoring compatibility for BYOK/non-CAPI setups.

Changes:

• Skips validateCopilotModel() when a custom Copilot provider base URL is detected, allowing custom/retired model names in that mode.
• Adds a unit test asserting that BYOK + provider base URL allows a custom COPILOT_MODEL value.

Show a summary per file

File	Description
src/commands/validators/config-assembly.ts	Adds detection of custom provider base URL and conditionally bypasses Copilot model retirement validation.
src/commands/validators/config-assembly.test.ts	Adds coverage for allowing custom COPILOT_MODEL when BYOK mode is used with a provider base URL.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2

[github-actions]

Smoke Test Results — PAT Auth

Test	Status
GitHub MCP (list PRs)	✅
GitHub.com connectivity	✅
File write/read	✅

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)
Author: @Copilot · Assignees: @zarenner, @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test Results: fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set

• GitHub MCP connectivity: ✅
• GitHub.com connectivity: ✅
• File write/read test: ❌
• BYOK inference test: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall status: FAIL

cc @Copilot @zarenner

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• api.openai.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.openai.com"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

PR: fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set
Author: @Copilot | Assignees: @zarenner, @Copilot

Overall: PASS 🟢

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

@Copilot @lpcox
• ✅ MCP connectivity (GitHub API)
• ✅ GitHub.com connectivity (HTTP 200/301)
• ✅ File I/O in sandbox
• ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ No
Node.js	v24.16.0	v22.22.3	❌ No
Go	go1.22.12	go1.22.12	✅ Yes

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING (host.docker.internal:6379)	❌ Timeout
PostgreSQL pg_isready (host.docker.internal:5432)	❌ No response
PostgreSQL SELECT 1	❌ Timeout

Overall: FAIL

host.docker.internal resolves to 172.17.0.1 but all connections time out. The AWF firewall blocks database/Redis ports (6379, 5432) via iptables rules, preventing the agent container from reaching GitHub Actions service containers on those ports.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4660 · 244.1 AIC · ⊞ 33.8K · ◷

[github-actions]

Smoke Test Results: Copilot BYOK (Direct) Mode

✅ GitHub MCP connectivity
✅ GitHub.com connectivity (HTTP 200)
✅ File write/read capability
✅ BYOK inference path (agent → api-proxy → api.githubcopilot.com)

Status: PASS — Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

• fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set ✅
• fix: propagate config fields to all layers ✅
• ci: remove dind-ubuntu image from release workflow ✅
• Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex