Skip to content

fix: auto-inject GHEC tenant domains into firewall allowlist#1316

Merged
lpcox merged 2 commits intomainfrom
copilot/fix-api-proxy-token-exchange
Mar 15, 2026
Merged

fix: auto-inject GHEC tenant domains into firewall allowlist#1316
lpcox merged 2 commits intomainfrom
copilot/fix-api-proxy-token-exchange

Conversation

Copy link
Contributor

Copilot AI commented Mar 15, 2026

When GITHUB_SERVER_URL is a GitHub Enterprise Cloud (GHEC) tenant (e.g., https://company.ghe.com), the firewall now automatically adds the tenant domain and its API subdomain to the allowlist so Copilot CLI requests are not blocked.

Root cause: resolveApiTargetsToAllowedDomains() in src/cli.ts only auto-added domains from explicit COPILOT_API_TARGET/ENGINE_API_TARGET env vars, but did not inspect GITHUB_SERVER_URL or GITHUB_API_URL for GHEC tenants.

Fix:

  • Added extractGhecDomainsFromServerUrl(env) that detects *.ghe.com hostnames in GITHUB_SERVER_URL and derives both {tenant}.ghe.com and api.{tenant}.ghe.com
  • Also handles GITHUB_API_URL when it points to a *.ghe.com API endpoint
  • Called from resolveApiTargetsToAllowedDomains() so GHEC domains are automatically allowed alongside any explicit API targets
  • 17 new unit tests covering all edge cases

Note: The api-proxy's deriveCopilotApiTarget() already correctly routes Copilot token exchange requests to api.{tenant}.ghe.com using GITHUB_SERVER_URL — that part was not broken. This PR fixes only the missing firewall allowlist injection.

Copilot AI linked an issue Mar 15, 2026 that may be closed by this pull request
GHEC: API proxy does not forward GHES token exchange to enterprise Copilot endpoints #1315
Closed
Copilot AI requested a review from lpcox March 15, 2026 05:23
@github-actions
Copy link
Contributor

github-actions bot commented Mar 15, 2026

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 85.90% 86.15% 📈 +0.25%
Statements 85.83% 86.08% 📈 +0.25%
Functions 86.07% 86.13% 📈 +0.06%
Branches 79.00% 79.28% 📈 +0.28%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/docker-manager.ts 87.4% → 87.9% (+0.49%) 86.8% → 87.2% (+0.46%)
src/cli.ts 59.5% → 61.1% (+1.59%) 60.0% → 61.5% (+1.55%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions
Copy link
Contributor

github-actions bot commented Mar 15, 2026

🔮 Oracle smoke trace:
PR titles: feat(cli): auto-inject GH_HOST in agent container when GHES detected; fix: wrap placeholders in backticks in smoke-codex.md; fix: auto-inject GHEC tenant domains into firewall allowlist; fix: resolve MD050 markdownlint errors in smoke-codex.md

  1. GitHub MCP merged PR review ✅
  2. safeinputs-gh PR query ❌
  3. Playwright title check ✅
  4. Tavily search ❌
  5. File write ✅
  6. Bash cat readback ✅
  7. Discussion query/comment ❌
  8. npm ci && npm run build ✅
    Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • ab.chatgpt.com
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 15, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1316 ·

@lpcox lpcox marked this pull request as ready for review March 15, 2026 06:03
@lpcox lpcox requested a review from Mossaka as a code owner March 15, 2026 06:03
Copilot AI review requested due to automatic review settings March 15, 2026 06:03
@lpcox lpcox merged commit 96676b4 into main Mar 15, 2026
58 checks passed
@lpcox lpcox deleted the copilot/fix-api-proxy-token-exchange branch March 15, 2026 06:03
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CLI’s firewall allowlist auto-injection so GitHub Enterprise Cloud tenants (*.ghe.com) are automatically permitted based on GITHUB_SERVER_URL / GITHUB_API_URL, preventing Copilot-related requests from being blocked in GHEC environments.

Changes:

  • Added extractGhecDomainsFromServerUrl() to derive GHEC tenant + API subdomain allowlist entries.
  • Integrated GHEC domain auto-injection into resolveApiTargetsToAllowedDomains().
  • Added unit tests covering GHEC extraction and allowlist injection behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/cli.ts Adds GHEC domain extraction and injects derived domains into the firewall allowlist resolution flow.
src/cli.test.ts Adds unit tests for GHEC domain extraction and allowlist injection behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

src/cli.ts
Comment on lines +516 to +521
for (const domain of ghecDomains) {
if (!allowedDomains.includes(domain)) {
allowedDomains.push(domain);
}
}
debug(`Auto-added GHEC domains from GITHUB_SERVER_URL/GITHUB_API_URL: ${ghecDomains.join(', ')}`);
src/cli.ts
Comment on lines +400 to +403
// GHEC tenant: add the tenant domain and its API subdomain
// e.g., company.ghe.com → company.ghe.com + api.company.ghe.com
domains.push(hostname);
domains.push(`api.${hostname}`);
This was referenced Mar 17, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

build-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GHEC: API proxy does not forward GHES token exchange to enterprise Copilot endpoints

3 participants

@lpcox