Document Azure OpenAI BYOK configuration for Copilot workflows#45276
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #45276 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100). |
|
|
There was a problem hiding this comment.
Pull request overview
Adds Azure OpenAI BYOK guidance for Copilot workflows.
Changes:
- Documents API-key and Microsoft Entra authentication.
- Explains Azure model/deployment mapping and troubleshooting.
- Adds navigation and reference links.
Show a summary per file
| File | Description |
|---|---|
docs/src/content/docs/reference/engines.md |
Adds Azure mapping guidance and guide link. |
docs/src/content/docs/guides/azure-openai-byok.md |
Adds the dedicated Azure BYOK guide. |
docs/astro.config.mjs |
Adds the guide to the sidebar. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
- Review effort level: Medium
There was a problem hiding this comment.
The documentation additions look accurate, well-structured, and consistent with the existing smoke workflows. The engines.md changes also fix a missing closing fence on the Entra authentication code block. No actionable issues found.
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 19.7 AIC · ⌖ 5.33 AIC · ⊞ 4.8K
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /grill-with-docs — requesting changes on two correctness issues and one clarity issue.
📋 Key Findings
Issues
- Missing
login.microsoftonline.com(correctness): The API-key section's network allowlist omits this entry, which is required for Entra token exchange. The PR description and the Entra section both include it — the API-key snippet should not. COPILOT_PROVIDER_WIRE_APIplacement (clarity): The env var appears silently in auth snippets before its dedicated section explains it. Readers focused on auth will miss the rationale.- Section title "Recompile after frontmatter changes" (clarity): Scope is too narrow — all workflow edits require a recompile, not just frontmatter ones.
Positive Highlights
- ✅ Clear separation of concerns across sections (auth, model mapping, wire API, troubleshooting)
- ✅ Consistent use of
aw wrapcode fences throughout - ✅ Good cross-links to related reference docs
- ✅
IMPORTANTcallout correctly distinguishesengine.envfrom top-levelsecrets:
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 28.2 AIC · ⌖ 4.61 AIC · ⊞ 6.6K
Comment /matt to run again
There was a problem hiding this comment.
🔎 Code quality review by PR Code Quality Reviewer · 119 AIC · ⌖ 4.37 AIC · ⊞ 5.4K
Comment /review to run again
|
@copilot run pr-finisher skill |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ename recompile section Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot please run the
|
The unresolved thread ( |
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
|
@copilot please run the
|
PR Triage (run 29275650494)\n\nCategory: docs | Risk: low | Score: 22/100 | Action: defer\n\nScore: Impact 12/50 + Urgency 4/30 + Quality 6/20\n\nAzure OpenAI BYOK configuration guide. CHANGES_REQUESTED by reviewer. Note: +483K additions is suspicious (likely generated output included). Needs reviewer concerns addressed before progressing.
|
# Conflicts: # .github/workflows/smoke-call-workflow.lock.yml Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Branch brought up to date with |
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Branch is up to date. All three merge-ready conditions checked:
CI must be re-triggered by a maintainer (close/reopen PR or |
|
Run: https://github.com/github/gh-aw/actions/runs/29280443144
|
Thread |
Sighthound Security Scan Results (run 29318199981)126 total findings — 113 in production code, 13 in testdata. After triage, the majority are false positives:
|
Azure OpenAI support existed in
gh-aw, but the docs did not explain the Azure-specific configuration details that make Copilot BYOK work reliably. In particular, the gap was aroundengine.envcredential placement,/openai/v1usage, Azure model ID vs deployment name mapping, and proxy behavior when Azure deployments do not match the provider model catalog.Added a dedicated Azure BYOK guide
Documented Azure model/deployment mapping
engine.model/COPILOT_MODELshould track the Azure model ID exposed by/openai/v1/modelsCOPILOT_PROVIDER_MODEL_IDwhen the Azure deployment name differs from the model ID sent through the AWF proxyDocumented Azure-specific runtime requirements
COPILOT_PROVIDER_WIRE_API: responsesfor GPT-5 and o-series deploymentsmodel not found/ HTTP 404 casessandbox.agent.model-fallback: falseas the escape hatch when AWF model fallback rewrites Azure deployment names incorrectlyConnected the new guidance from existing docs
Example configuration: