fix(cli): exclude GITHUB_API_URL when api-proxy is enabled#1303
Merged
Conversation
On GHES, workflows set GITHUB_API_URL to the GHES API endpoint (e.g., https://api.ghes-host). When api-proxy is enabled, this variable should NOT be passed to the agent container, because Copilot CLI would use it for Copilot API requests, which don't exist on GHES API. Instead, the agent should use COPILOT_API_URL pointing to the proxy, which correctly routes Copilot API requests to api.enterprise.githubcopilot.com (not the GHES API which lacks Copilot endpoints). This fix ensures: - GITHUB_API_URL is excluded from agent env when --enable-api-proxy is set - COPILOT_API_URL takes precedence for Copilot API routing - The API proxy's deriveCopilotApiTarget() correctly determines the endpoint Fixes: github/gh-aw#20875
Claude created this pull request from a session on behalf of
lpcox
March 14, 2026 18:29
View session
Collaborator
|
@claude[agent] fix the pr title and summary |
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Contributor
Author
I don't have permissions to edit the PR directly, but here's the updated PR title and description you can apply: Title: Description: ## Summary
Fixes API proxy routing issue on GitHub Enterprise Server (GHES) where Copilot API requests were incorrectly routed to the GHES API instead of the Copilot API.
## Problem
On GHES, workflows pass `GITHUB_API_URL` (e.g., `https://api.ghes-host`) to the agent container. The Copilot CLI was using this environment variable for ALL API requests, including Copilot model/chat requests, which don't exist on the GHES API. This caused immediate failures with:
Error loading models: Error: Failed to list models: 400 Bad Request Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
Fixes API proxy routing issue on GitHub Enterprise Server (GHES) where Copilot API requests were incorrectly routed to the GHES API instead of the Copilot API. ProblemOn GHES, workflows pass
|
Claude
AI
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes GHES routing when the API proxy sidecar is enabled by preventing GITHUB_API_URL (GHES REST API base) from being injected into the agent container, so Copilot requests use COPILOT_API_URL via the sidecar instead of being misrouted to GHES.
Changes:
- Conditionally omit
GITHUB_API_URLfrom agent container environment when--enable-api-proxyis enabled. - Add integration coverage asserting
GITHUB_API_URLpassthrough behavior differs depending on whether the API proxy is enabled.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/integration/api-proxy.test.ts | Adds integration tests for GITHUB_API_URL passthrough/exclusion behavior with/without API proxy. |
| src/docker-manager.ts | Updates agent env-var pass-through logic to exclude GITHUB_API_URL when API proxy is enabled. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+277
to
+282
| expect(result).toSucceed(); | ||
| // GITHUB_API_URL should NOT be set in agent container when api-proxy is enabled | ||
| expect(result.stdout).toContain('GITHUB_API_URL_NOT_SET'); | ||
| // COPILOT_API_URL should point to the proxy instead | ||
| expect(result.stdout).toContain(`COPILOT_API_URL=http://${API_PROXY_IP}:10002`); | ||
| }, 180000); |
Comment on lines
+488
to
+492
| // When api-proxy is enabled, Copilot CLI must use COPILOT_API_URL (pointing to the proxy) | ||
| // instead of GITHUB_API_URL, because the proxy correctly routes Copilot API requests to | ||
| // api.enterprise.githubcopilot.com (not the GHES API which lacks Copilot endpoints). | ||
| // See: github/gh-aw#20875 | ||
| if (process.env.GITHUB_API_URL && !config.enableApiProxy) environment.GITHUB_API_URL = process.env.GITHUB_API_URL; |
Copilot AI
added a commit
that referenced
this pull request
Mar 24, 2026
…abled Regression introduced in commit 9761e87 (PR #1305) re-added an unconditional GITHUB_API_URL assignment that PR #1303 had fixed. Combined with the missing EXCLUDED_ENV_VARS entry for the --env-all code path, GITHUB_API_URL was leaking into the agent container when api-proxy is enabled. With GITHUB_API_URL present in the agent, the Copilot CLI routes its token exchange to api.github.com/copilot_internal/v2/token using the placeholder COPILOT_GITHUB_TOKEN instead of going through COPILOT_API_URL → api-proxy (which injects the real token), causing a 401 authentication failure. Fix: - Add GITHUB_API_URL to EXCLUDED_ENV_VARS when api-proxy is enabled (covers the --env-all path used by build-test.lock.yml) - Replace the duplicate unconditional assignment with the correct conditional version that was already present below it (from PR #1303) Tests: - should not leak GITHUB_API_URL to agent when api-proxy is enabled with envAll - should pass GITHUB_API_URL to agent when api-proxy is NOT enabled with envAll See: github/gh-aw#20875
lpcox
pushed a commit
that referenced
this pull request
Mar 24, 2026
…abled (#1419) * Initial plan * fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled Regression introduced in commit 9761e87 (PR #1305) re-added an unconditional GITHUB_API_URL assignment that PR #1303 had fixed. Combined with the missing EXCLUDED_ENV_VARS entry for the --env-all code path, GITHUB_API_URL was leaking into the agent container when api-proxy is enabled. With GITHUB_API_URL present in the agent, the Copilot CLI routes its token exchange to api.github.com/copilot_internal/v2/token using the placeholder COPILOT_GITHUB_TOKEN instead of going through COPILOT_API_URL → api-proxy (which injects the real token), causing a 401 authentication failure. Fix: - Add GITHUB_API_URL to EXCLUDED_ENV_VARS when api-proxy is enabled (covers the --env-all path used by build-test.lock.yml) - Replace the duplicate unconditional assignment with the correct conditional version that was already present below it (from PR #1303) Tests: - should not leak GITHUB_API_URL to agent when api-proxy is enabled with envAll - should pass GITHUB_API_URL to agent when api-proxy is NOT enabled with envAll See: github/gh-aw#20875 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes API proxy routing issue on GitHub Enterprise Server (GHES) where Copilot API requests were incorrectly routed to the GHES API instead of the Copilot API.
Problem
On GHES, workflows pass
GITHUB_API_URL(e.g.,https://api.ghes-host) to the agent container. The Copilot CLI was using this environment variable for ALL API requests, including Copilot model/chat requests, which don't exist on the GHES API. This caused immediate failures with:Solution
Modified
src/docker-manager.tsto conditionally excludeGITHUB_API_URLfrom the agent container's environment when the API proxy is enabled (--enable-api-proxy).When API proxy is enabled:
GITHUB_API_URLis excluded from agent environmentCOPILOT_API_URLinstead (pointing to the API proxy)deriveCopilotApiTarget()correctly routes Copilot requests to:api.enterprise.githubcopilot.comapi.<subdomain>.ghe.comapi.githubcopilot.comTesting
Added integration tests in
tests/integration/api-proxy.test.ts:GITHUB_API_URLis excluded when API proxy is enabledCOPILOT_API_URLpoints to the proxyGITHUB_API_URLpasses through normally when API proxy is disabled