Skip to content

Document Azure OpenAI BYOK configuration for Copilot workflows#45276

Merged
pelikhan merged 11 commits into
mainfrom
copilot/701202-opanai
Jul 14, 2026
Merged

Document Azure OpenAI BYOK configuration for Copilot workflows#45276
pelikhan merged 11 commits into
mainfrom
copilot/701202-opanai

Conversation

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Azure OpenAI support existed in gh-aw, but the docs did not explain the Azure-specific configuration details that make Copilot BYOK work reliably. In particular, the gap was around engine.env credential placement, /openai/v1 usage, Azure model ID vs deployment name mapping, and proxy behavior when Azure deployments do not match the provider model catalog.

  • Added a dedicated Azure BYOK guide

    • Introduces a focused how-to for Azure OpenAI with Copilot BYOK
    • Covers both API key and Microsoft Entra / GitHub OIDC authentication
    • Documents the required Azure endpoint shape and network allowlist entries
  • Documented Azure model/deployment mapping

    • Clarifies that engine.model / COPILOT_MODEL should track the Azure model ID exposed by /openai/v1/models
    • Explains using COPILOT_PROVIDER_MODEL_ID when the Azure deployment name differs from the model ID sent through the AWF proxy
  • Documented Azure-specific runtime requirements

    • Recommends COPILOT_PROVIDER_WIRE_API: responses for GPT-5 and o-series deployments
    • Adds troubleshooting guidance for proxy-side model not found / HTTP 404 cases
    • Documents sandbox.agent.model-fallback: false as the escape hatch when AWF model fallback rewrites Azure deployment names incorrectly
  • Connected the new guidance from existing docs

    • Added the guide to the docs sidebar
    • Expanded the Engines reference section for Azure Foundry OpenAI with the model/deployment note and a pointer to the new guide

Example configuration:

permissions:
  id-token: write

engine:
  id: copilot
  model: gpt-5.4-2026-03-05
  auth:
    type: github-oidc
    provider: azure
    azure-tenant-id: <tenant-id>
    azure-client-id: <client-id>
  env:
    COPILOT_PROVIDER_BASE_URL: https://RESOURCE.openai.azure.com/openai/v1
    COPILOT_PROVIDER_MODEL_ID: gpt-5.4
    COPILOT_PROVIDER_WIRE_API: responses

sandbox:
  agent:
    id: awf
    model-fallback: false

network:
  allowed:
    - defaults
    - RESOURCE.openai.azure.com
    - login.microsoftonline.com

Generated by 👨‍🍳 PR Sous Chef · 9.9 AIC · ⌖ 5.48 AIC · ⊞ 7.5K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 9.13 AIC · ⌖ 8 AIC · ⊞ 5.1K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 13, 2026 15:22
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issue with Azure OpenAI support in Agentic Workflows Document Azure OpenAI BYOK configuration for Copilot workflows Jul 13, 2026
Copilot AI requested a review from pelikhan July 13, 2026 15:31
@pelikhan pelikhan marked this pull request as ready for review July 13, 2026 15:36
Copilot AI review requested due to automatic review settings July 13, 2026 15:36
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. Test Quality Sentinel skipped.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #45276 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Azure OpenAI BYOK guidance for Copilot workflows.

Changes:

  • Documents API-key and Microsoft Entra authentication.
  • Explains Azure model/deployment mapping and troubleshooting.
  • Adds navigation and reference links.
Show a summary per file
File Description
docs/src/content/docs/reference/engines.md Adds Azure mapping guidance and guide link.
docs/src/content/docs/guides/azure-openai-byok.md Adds the dedicated Azure BYOK guide.
docs/astro.config.mjs Adds the guide to the sidebar.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 0
  • Review effort level: Medium

@github-actions github-actions Bot mentioned this pull request Jul 13, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation additions look accurate, well-structured, and consistent with the existing smoke workflows. The engines.md changes also fix a missing closing fence on the Entra authentication code block. No actionable issues found.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 19.7 AIC · ⌖ 5.33 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /grill-with-docs — requesting changes on two correctness issues and one clarity issue.

📋 Key Findings

Issues

  1. Missing login.microsoftonline.com (correctness): The API-key section's network allowlist omits this entry, which is required for Entra token exchange. The PR description and the Entra section both include it — the API-key snippet should not.
  2. COPILOT_PROVIDER_WIRE_API placement (clarity): The env var appears silently in auth snippets before its dedicated section explains it. Readers focused on auth will miss the rationale.
  3. Section title "Recompile after frontmatter changes" (clarity): Scope is too narrow — all workflow edits require a recompile, not just frontmatter ones.

Positive Highlights

  • ✅ Clear separation of concerns across sections (auth, model mapping, wire API, troubleshooting)
  • ✅ Consistent use of aw wrap code fences throughout
  • ✅ Good cross-links to related reference docs
  • IMPORTANT callout correctly distinguishes engine.env from top-level secrets:

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 28.2 AIC · ⌖ 4.61 AIC · ⊞ 6.6K
Comment /matt to run again

Comment thread docs/src/content/docs/guides/azure-openai-byok.md
Comment thread docs/src/content/docs/guides/azure-openai-byok.md
Comment thread docs/src/content/docs/guides/azure-openai-byok.md

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔎 Code quality review by PR Code Quality Reviewer · 119 AIC · ⌖ 4.37 AIC · ⊞ 5.4K
Comment /review to run again

Comment thread docs/src/content/docs/guides/azure-openai-byok.md
@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Copilot AI and others added 2 commits July 13, 2026 16:18
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ename recompile section

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address these unresolved review comments, and rerun checks once finished:

Generated by 👨‍🍳 PR Sous Chef · 9.23 AIC · ⌖ 10.8 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address these unresolved review comments, and rerun checks once finished:

The unresolved thread (r3572072385) flagged a missing COPILOT_PROVIDER_WIRE_API: responses in the Entra example, but the setting is already present at line 98 of azure-openai-byok.md — it was there in the original commit. Replied to the thread to confirm. All other threads were resolved in the previous pass.

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI requested a review from gh-aw-bot July 13, 2026 18:21
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review feedback, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 9.9 AIC · ⌖ 5.48 AIC · ⊞ 7.5K ·
Comment /souschef to run again

@github-actions

Copy link
Copy Markdown
Contributor

PR Triage (run 29275650494)\n\nCategory: docs | Risk: low | Score: 22/100 | Action: defer\n\nScore: Impact 12/50 + Urgency 4/30 + Quality 6/20\n\nAzure OpenAI BYOK configuration guide. CHANGES_REQUESTED by reviewer. Note: +483K additions is suspicious (likely generated output included). Needs reviewer concerns addressed before progressing.

Generated by 🔧 PR Triage Agent · 181.5 AIC · ⌖ 7.71 AIC · ⊞ 5.6K ·

# Conflicts:
#	.github/workflows/smoke-call-workflow.lock.yml

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address unresolved review feedback, and rerun checks once the branch is up to date.

...

Branch brought up to date with main — merged the recompile commit and resolved the smoke-call-workflow.lock.yml conflict by taking main's version (which matches the source MD's permissions). All review threads remain resolved. Local make fmt and make test-unit pass.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 9.13 AIC · ⌖ 8 AIC · ⊞ 5.1K ·
Comment /souschef to run again

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

...

Branch is up to date. All three merge-ready conditions checked:

  • Reviews — All four review threads are resolved. The unresolved github-actions[bot] thread (r3572072385) flagged a missing COPILOT_PROVIDER_WIRE_API: responses in the Entra example, but the setting was already present (line 98 of azure-openai-byok.md) — confirmed in this pass.
  • Checks (local)make fmt, make lint, make test-unit, make recompile, and make check-workflow-drift all pass. Committed updated smoke-call-workflow.lock.yml (recompile sync from upstream main changes).
  • Mergeable — Branch is open, not draft. Awaiting human CI re-trigger after the agent's push.

CI must be re-triggered by a maintainer (close/reopen PR or workflow_dispatch) before merge.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address the remaining unresolved review comment, and rerun checks once the branch is up to date:

Run: https://github.com/github/gh-aw/actions/runs/29280443144

Generated by 👨‍🍳 PR Sous Chef · 7.51 AIC · ⌖ 6.11 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please run the pr-finisher skill, address the remaining unresolved review comment, and rerun checks once the branch is up to date:

Thread r3572072385 is now resolved — confirmed via the GitHub API. COPILOT_PROVIDER_WIRE_API: responses is present in the Entra engine.env block (line 97 of azure-openai-byok.md). All four review threads are resolved and local validation passes. Ready for human CI re-trigger and merge.

@pelikhan pelikhan merged commit 4f29898 into main Jul 14, 2026
10 checks passed
@pelikhan pelikhan deleted the copilot/701202-opanai branch July 14, 2026 08:30
@github-actions

Copy link
Copy Markdown
Contributor

Sighthound Security Scan Results (run 29318199981)

126 total findings — 113 in production code, 13 in testdata.

After triage, the majority are false positives:

Finding Type Count Verdict
Command Injection 23 Critical ❌ False positive — Go exec.Command does not invoke a shell
Unsafe Deserialization 54 Medium ❌ False positive — yaml.Unmarshal in Go is not unsafe deserialization
Code Injection 17 Critical ❌ False positive — all eval calls are in test file (add_comment.test.cjs)
ReDoS 2 Medium ❌ False positive — split("\n") and keyboard listeners, not regex

⚠️ Potentially Actionable Findings (22 total)

High — Path Traversal (7)

  • pkg/cli/download_workflow.go:105os.WriteFile(sparseCheckoutFile, ...) using a path variable. Validate/sanitize path input.
  • scripts/changeset.js:137, scripts/generate-agent-factory.js:223,232path.join with external input. Verify inputs are confined to expected directories.

High — DOM-based XSS (2)

  • docs/src/scripts/responsive-tables.ts:11,15 — table header extraction in docs. Confirm no innerHTML with untrusted content.

High — Template Injection (1)

  • docs/public/editor/editor.js:396 — compiler invoked from editor UI. Assess if user-controlled markdown can escape sandbox.

High — SSRF (1)

  • scripts/ensure-docs-slide-pdf.js:110fetch(url) in a script. Confirm URL is hardcoded or validated.

High — Insecure postMessage (1)

  • docs/public/wasm/compiler-worker.js:38 — verify message.source is checked on postMessage listeners.

Medium — Insecure Randomness (5)

  • pkg/cli/pr_helpers.go:39rand.Intn(9000) for PR branch suffix (non-security use, low risk).
  • pkg/cli/forecast_compute.go:168-170 — seeded RNG for forecast computation (intentional, not a security issue).

Recommendation

The scan has a high false-positive rate for this Go codebase. Focus manual review on the Path Traversal finding in download_workflow.go and DOM XSS in docs scripts, as these are the most plausible real issues.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by 🛡️ Sighthound Security Scan for #45276 · 17.5 AIC · ⌖ 5.41 AIC · ⊞ 4.1K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Azure OpenAI isn't supported by Agentic Workflows.

4 participants