feat(cli): auto-populate GHES firewall domains from engine.api-target#1306
Merged
feat(cli): auto-populate GHES firewall domains from engine.api-target#1306
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Claude created this pull request from a session on behalf of
lpcox
March 14, 2026 19:12
View session
Collaborator
|
@claude[agent] fix the pr title and summary |
Contributor
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (2 files)
Coverage comparison generated by |
Contributor
Author
Updated PR description with detailed checklist of changes. The PR title should be automatically updated by the report_progress tool, but if not, the suggested title is: "feat(cli): auto-populate GHES firewall domains from engine.api-target" This PR implements automatic domain whitelisting for GitHub Enterprise Server when ENGINE_API_TARGET is set, addressing issue #1300. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Claude
AI
changed the title
Contributor
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds automatic GHES (GitHub Enterprise Server) domain population for the firewall allowlist when the ENGINE_API_TARGET environment variable is set. This eliminates the need for manual domain configuration in agentic workflows running on GHES.
Changes:
- Added
extractGhesDomainsFromEngineApiTarget()function that parsesENGINE_API_TARGETto extract GHES and Copilot API domains, and integrated it intoresolveApiTargetsToAllowedDomains() - Added comprehensive unit tests (5 for extraction, 3 for integration with resolve function) and 10 integration tests
- Updated enterprise configuration documentation with auto-population feature details and examples
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
src/cli.ts |
New extractGhesDomainsFromEngineApiTarget() function and its integration into resolveApiTargetsToAllowedDomains() to auto-add GHES + Copilot domains |
src/cli.test.ts |
Unit tests for the new extraction function and GHES-aware domain resolution |
tests/integration/ghes-auto-populate.test.ts |
End-to-end integration tests covering various GHES auto-population scenarios |
docs/enterprise-configuration.md |
Documentation for the new auto-population feature with examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+469
to
+474
| for (const domain of ghesDomains) { | ||
| if (!allowedDomains.includes(domain)) { | ||
| allowedDomains.push(domain); | ||
| } | ||
| } | ||
| debug(`Auto-added GHES domains from engine.api-target: ${ghesDomains.join(', ')}`); |
Comment on lines
+389
to
+424
| export function extractGhesDomainsFromEngineApiTarget( | ||
| env: Record<string, string | undefined> = process.env | ||
| ): string[] { | ||
| const engineApiTarget = env['ENGINE_API_TARGET']; | ||
| if (!engineApiTarget) { | ||
| return []; | ||
| } | ||
|
|
||
| const domains: string[] = []; | ||
|
|
||
| try { | ||
| // Parse the engine.api-target URL (e.g., https://api.github.mycompany.com) | ||
| const url = new URL(engineApiTarget); | ||
| const hostname = url.hostname; | ||
|
|
||
| // Extract the base GHES domain from api.github.<ghes-domain> | ||
| // For example: api.github.mycompany.com → github.mycompany.com | ||
| if (hostname.startsWith('api.')) { | ||
| const baseDomain = hostname.substring(4); // Remove 'api.' prefix | ||
| domains.push(baseDomain); | ||
| domains.push(hostname); // Also add the api subdomain itself | ||
| } else { | ||
| // If it doesn't start with 'api.', just add the hostname | ||
| domains.push(hostname); | ||
| } | ||
|
|
||
| // Add Copilot API domains (needed even on GHES since Copilot models run in GitHub's cloud) | ||
| domains.push('api.githubcopilot.com'); | ||
| domains.push('api.enterprise.githubcopilot.com'); | ||
| domains.push('telemetry.enterprise.githubcopilot.com'); | ||
| } catch { | ||
| // Invalid URL format - skip GHES domain extraction | ||
| return []; | ||
| } | ||
|
|
||
| return domains; |
|
|
||
| ### Auto-Population for GitHub Agentic Workflows | ||
|
|
||
| **New in v0.24.0:** When running agentic workflows with `engine.api-target` set (via the `ENGINE_API_TARGET` environment variable), AWF automatically adds GHES domains to the firewall allowlist. You no longer need to manually specify these domains in `--allow-domains` or `GH_AW_ALLOWED_DOMAINS`. |
Comment on lines
+2195
to
+2202
| it('should handle non-api.* hostnames', () => { | ||
| const env = { ENGINE_API_TARGET: 'https://github.mycompany.com' }; | ||
| const domains = extractGhesDomainsFromEngineApiTarget(env); | ||
| expect(domains).toContain('github.mycompany.com'); | ||
| expect(domains).toContain('api.githubcopilot.com'); | ||
| expect(domains).toContain('api.enterprise.githubcopilot.com'); | ||
| expect(domains).toContain('telemetry.enterprise.githubcopilot.com'); | ||
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automatically adds GitHub Enterprise Server (GHES) domains to the firewall allowlist when
ENGINE_API_TARGETenvironment variable is set, eliminating the need for manual domain configuration in agentic workflows.Changes Made
extractGhesDomainsFromEngineApiTarget()function that parses theENGINE_API_TARGETURL and extracts the base GHES domain and API subdomainresolveApiTargetsToAllowedDomains()to automatically add extracted GHES domains to the allowlistapi.githubcopilot.com,api.enterprise.githubcopilot.com,telemetry.enterprise.githubcopilot.com) even on GHES, since Copilot models run in GitHub's clouddocs/enterprise-configuration.mdwith examples and explanations of the auto-population featureTesting
The implementation ensures GHES users no longer need to manually specify domains in two places (
--allow-domainsandGH_AW_ALLOWED_DOMAINS), reducing configuration complexity and potential errors.