fix: broaden GHES detection for Copilot auth prefix#5076
Conversation
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR fixes Copilot auth header formatting for GitHub Enterprise Server (GHES) when COPILOT_API_TARGET is overridden to a custom hostname, ensuring the Authorization header uses the required token <value> prefix (instead of Bearer <value>) to avoid 400 errors from GHES Copilot endpoints.
Changes:
- Introduces
isGhesInstance(resolvedTarget, env)incopilot-auth.jsto detect GHES using both resolved target andGITHUB_SERVER_URL. - Updates Copilot adapter auth-header selection to rely on
isGhesInstance(...)instead of a single hostname equality check. - Adds/extends unit + integration-style tests covering custom targets combined with GHES vs github.com/GHEC server URLs.
Show a summary per file
| File | Description |
|---|---|
| containers/api-proxy/server.auth.test.js | Adds test coverage for GHES detection and auth prefix behavior when COPILOT_API_TARGET is custom. |
| containers/api-proxy/providers/copilot.js | Switches enterprise/GHES auth prefix decision to isGhesInstance(...). |
| containers/api-proxy/providers/copilot-auth.js | Adds isGhesInstance(...) helper and exports it for use and testing. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
The api-proxy previously only detected GHES when the resolved target was exactly 'api.enterprise.githubcopilot.com'. When COPILOT_API_TARGET is set to a custom hostname (e.g. by older gh-aw versions or custom configurations), the check failed and Bearer was sent instead of token. Add isGhesInstance() that checks multiple signals with clear priority: 1. AWF_PLATFORM_TYPE=ghes (explicit config, highest priority) 2. Resolved target === api.enterprise.githubcopilot.com 3. GITHUB_SERVER_URL not github.com / *.ghe.com Add 'platform' section to the AWF stdin config spec and JSON schema with a 'type' field that explicitly declares the deployment environment (github.com, ghes, ghec, ghec-self-hosted). This is forwarded as AWF_PLATFORM_TYPE to the api-proxy container, giving users a definitive way to control auth behavior without relying on heuristic detection. Fixes #4793 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
force-pushed
the
fix/ghes-copilot-auth-prefix
branch
from
dca6cdd to
b0e3c61
Compare
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Gemini completed. All facets verified. 💎 Smoke test completed with partial failures. Results reported via PR comment. |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
❌ Contribution Check failed. Please review the logs for details. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
❌ Security Guard failed. Please review the logs for details. |
|
❌ Smoke Claude failed |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✅ Build Test Suite completed successfully! |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Smoke Gemini completed. All facets verified. 💎 Smoke test completed. Results: MCP ✅, Connectivity ❌, File Write ✅, Bash ✅. Comment added to PR #5076. |
|
🔌 Smoke Services — All services reachable! ✅ |
|
fix: broaden GHES detection for Copilot auth prefix ✅ MCP connectivity Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Overall: PASS
|
🔍 Smoke Test ResultsPR: fix: broaden GHES detection for Copilot auth prefix
Overall: PASS
|
|
@lpcox Smoke Test Results:
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall: PASS
|
🔭 Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is fully functional.
|
|
Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS
Running in direct BYOK mode via
|
🔬 Smoke Test — Auth mode: PAT (COPILOT_GITHUB_TOKEN)
Overall: FAIL — pre-computed step outputs were not injected (smoke-data step may not have run). cc @lpcox
|
Chroot Version Comparison — Smoke Test Results
Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments. The
|
|
ECOSYSTEM: Deno
|
Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
|
Smoke Services: FAIL ❌
Root cause: No GitHub Actions
|
lpcox
force-pushed
the
fix/ghes-copilot-auth-prefix
branch
from
2296264 to
51f2778
Compare
GITHUB_TOKEN-added labels don't trigger other workflows (GitHub's anti-cascade protection). Instead of auto-labeling, ci-gate now posts a comment instructing the PR owner to manually add the 'ready-for-aw' label to trigger agentic CI smoke tests. Changes: - Rename label from 'ready-for-ci' to 'ready-for-aw' across all workflows - ci-gate posts/updates a comment instead of calling issues.addLabels - Add 'opened' to pull_request trigger types - Add copilot-pull-request-reviewer[bot] to reviewer Set - Rename test file to match new label name Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
force-pushed
the
fix/ghes-copilot-auth-prefix
branch
from
51f2778 to
246028c
Compare
PR #5076 (broaden GHES detection for Copilot auth prefix) introduced the platform.type config field but omitted it from the Section 5 CLI mapping table in docs/awf-config-spec.md. The field is config-only (no CLI flag equivalent) and maps to the AWF_PLATFORM_TYPE environment variable passed to the api-proxy container. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…5110) PR #5076 (broaden GHES detection for Copilot auth prefix) introduced the platform.type config field but omitted it from the Section 5 CLI mapping table in docs/awf-config-spec.md. The field is config-only (no CLI flag equivalent) and maps to the AWF_PLATFORM_TYPE environment variable passed to the api-proxy container. Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Problem
The api-proxy only detects GHES when the resolved Copilot API target is exactly
api.enterprise.githubcopilot.com. However, whenCOPILOT_API_TARGETis set to a custom hostname (e.g. by older gh-aw versions or internal routing configurations), the check fails and the auth header usesBearerprefix instead oftoken— causing 400 errors from GHES Copilot endpoints.Fix
Add
isGhesInstance(resolvedTarget, env)function incopilot-auth.jsthat uses a two-signal approach:api.enterprise.githubcopilot.com(existing behavior)GITHUB_SERVER_URL— if it's notgithub.comor*.ghe.com, treat as GHESThis covers environments where the API target hostname differs from the standard enterprise endpoint.
Tests
Added 10 new test cases:
isGhesInstance()unit tests (6 cases covering all detection paths)COPILOT_API_TARGET+ GHESGITHUB_SERVER_URL(4 cases)All 105 auth tests pass.
Fixes #4793
Related: github/gh-aw#38575