Skip to content

fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled#1419

Merged
lpcox merged 2 commits intofix/claude-api-key-helper-settings-pathfrom
copilot/fix-github-actions-workflow-38fc8b79-63fc-4ac2-9b26-ba694fc2fd82
Mar 24, 2026
Merged

fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled#1419
lpcox merged 2 commits intofix/claude-api-key-helper-settings-pathfrom
copilot/fix-github-actions-workflow-38fc8b79-63fc-4ac2-9b26-ba694fc2fd82

Conversation

Copy link
Contributor

Copilot AI commented Mar 24, 2026
edited
Loading

The Copilot CLI authentication was failing (401) in the build-test workflow when --enable-api-proxy and --env-all were both active. GITHUB_API_URL was leaking into the agent container, causing the CLI to route its token exchange to api.github.com with the placeholder COPILOT_GITHUB_TOKEN rather than through COPILOT_API_URL → api-proxy (which injects the real token).

Root cause

PR #1303 fixed this for the non---env-all path, but commit 9761e87 (PR #1305, "auto-inject GH_HOST") accidentally re-introduced the unconditional GITHUB_API_URL assignment. The --env-all path was never protected at all.

Changes

if (config.enableApiProxy) {
  // ...existing key exclusions...
  EXCLUDED_ENV_VARS.add('GITHUB_API_URL'); // ← new: prevents --env-all from leaking it
}
// later, in the !envAll path:
// (removed unconditional assignment; kept only the conditional one below)
if (process.env.GITHUB_API_URL && !config.enableApiProxy) environment.GITHUB_API_URL = ...;
  • src/docker-manager.test.ts — two new unit tests verifying GITHUB_API_URL is excluded with envAll + api-proxy enabled and passes through when api-proxy is disabled

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh auth status (http block)
    • Triggering command: /usr/bin/gh gh auth status git conf�� get --global de/node/bin/bash user.email (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Fix the failing GitHub Actions workflow agent
Analyze the workflow logs, identify the root cause of the failure, and implement a fix.
Job ID: 68420172363
Job URL: https://github.com/github/gh-aw-firewall/actions/runs/23507729062/job/68420172363

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

fix: exclude GITHUB_API_URL from agent container when api-proxy is en…
fefa363 
…abled

Regression introduced in commit 9761e87 (PR #1305) re-added an unconditional
GITHUB_API_URL assignment that PR #1303 had fixed. Combined with the missing
EXCLUDED_ENV_VARS entry for the --env-all code path, GITHUB_API_URL was leaking
into the agent container when api-proxy is enabled.

With GITHUB_API_URL present in the agent, the Copilot CLI routes its token
exchange to api.github.com/copilot_internal/v2/token using the placeholder
COPILOT_GITHUB_TOKEN instead of going through COPILOT_API_URL → api-proxy
(which injects the real token), causing a 401 authentication failure.

Fix:
- Add GITHUB_API_URL to EXCLUDED_ENV_VARS when api-proxy is enabled (covers
  the --env-all path used by build-test.lock.yml)
- Replace the duplicate unconditional assignment with the correct conditional
  version that was already present below it (from PR #1303)

Tests:
- should not leak GITHUB_API_URL to agent when api-proxy is enabled with envAll
- should pass GITHUB_API_URL to agent when api-proxy is NOT enabled with envAll

See: github/gh-aw#20875
Copilot AI changed the title [WIP] Fix the failing GitHub Actions workflow agent fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled Mar 24, 2026
Copilot AI requested a review from lpcox March 24, 2026 20:13
@lpcox lpcox marked this pull request as ready for review March 24, 2026 20:17
@lpcox lpcox requested a review from Mossaka as a code owner March 24, 2026 20:17
Copilot AI review requested due to automatic review settings March 24, 2026 20:17
@lpcox lpcox merged commit 5a56789 into fix/claude-api-key-helper-settings-path Mar 24, 2026
@lpcox lpcox deleted the copilot/fix-github-actions-workflow-38fc8b79-63fc-4ac2-9b26-ba694fc2fd82 branch March 24, 2026 20:17
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes Copilot CLI authentication failures when running with --enable-api-proxy and --env-all by preventing GITHUB_API_URL from being passed into the agent container (which can cause token exchange to bypass the api-proxy and fail with 401).

Changes:

  • Exclude GITHUB_API_URL from the agent environment when api-proxy is enabled (closing the --env-all leak path).
  • Remove the reintroduced unconditional GITHUB_API_URL assignment and consolidate to the conditional !config.enableApiProxy behavior.
  • Add unit tests covering GITHUB_API_URL behavior with envAll when api-proxy is enabled vs disabled.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/docker-manager.ts Excludes GITHUB_API_URL under api-proxy and consolidates conditional env propagation.
src/docker-manager.test.ts Adds unit tests to ensure GITHUB_API_URL is excluded with envAll + api-proxy and passes through otherwise.
Comments suppressed due to low confidence (2)

src/docker-manager.ts:463

  • The added comment references github/gh-aw#20875, but the rest of this repo tends to reference issues as gh-aw-firewall issue #... or a full GitHub URL (e.g., in src/squid-config.ts). Consider updating this to a consistent, resolvable reference (full URL and correct repo), especially if github/gh-aw isn’t publicly accessible to readers of this codebase.
    // GITHUB_API_URL must be excluded so the Copilot CLI routes ALL requests (including
    // token exchange) through COPILOT_API_URL → api-proxy, not directly to api.github.com.
    // If GITHUB_API_URL is present, the CLI may call api.github.com/copilot_internal/v2/token
    // with the placeholder COPILOT_GITHUB_TOKEN (bypassing the api-proxy injection), causing 401.
    // See: github/gh-aw#20875
    EXCLUDED_ENV_VARS.add('GITHUB_API_URL');

src/docker-manager.ts:600

  • Same as above: the inline reference github/gh-aw#20875 is inconsistent with other issue references in this repo (often gh-aw-firewall issue #... or a full URL). Consider switching to a consistent, resolvable reference format here as well.
    // GITHUB_API_URL — only pass when api-proxy is NOT enabled.
    // On GHES, workflows set GITHUB_API_URL to the GHES API endpoint (e.g., https://api.ghes-host).
    // When api-proxy is enabled, Copilot CLI must use COPILOT_API_URL (pointing to the proxy)
    // instead of GITHUB_API_URL, because the proxy correctly routes Copilot API requests to
    // api.enterprise.githubcopilot.com (not the GHES API which lacks Copilot endpoints).
    // GITHUB_API_URL is also excluded via EXCLUDED_ENV_VARS for the --env-all path.
    // See: github/gh-aw#20875
    if (process.env.GITHUB_API_URL && !config.enableApiProxy) environment.GITHUB_API_URL = process.env.GITHUB_API_URL;

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/docker-manager.ts
Comment on lines 456 to +460
EXCLUDED_ENV_VARS.add('CLAUDE_API_KEY');
// COPILOT_GITHUB_TOKEN gets a placeholder (not excluded), protected by one-shot-token
// GITHUB_API_URL must be excluded so the Copilot CLI routes ALL requests (including
// token exchange) through COPILOT_API_URL → api-proxy, not directly to api.github.com.
// If GITHUB_API_URL is present, the CLI may call api.github.com/copilot_internal/v2/token
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The enableApiProxy exclusion list is described as excluding “API keys”, but it now also excludes GITHUB_API_URL for routing/behavior reasons. Consider tweaking the nearby comment to reflect that this block excludes both sensitive credentials and env vars that would interfere with api-proxy routing.

This issue also appears in the following locations of the same file:

  • line 458
  • line 593

Copilot uses AI. Check for mistakes.
src/docker-manager.test.ts
// When api-proxy is enabled, GITHUB_API_URL must be excluded so the Copilot CLI
// routes token exchange through COPILOT_API_URL → api-proxy (not directly to api.github.com
// with the placeholder COPILOT_GITHUB_TOKEN, which would cause a 401).
// See: github/gh-aw#20875
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test comment references github/gh-aw#20875, which doesn’t match the issue-link style used elsewhere in this repo (often gh-aw-firewall issue #... or a full URL). Consider updating to a consistent, resolvable link so future readers can easily find the context.

Suggested change
// See: github/gh-aw#20875
// See: https://github.com/github/gh-aw/issues/20875

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Mar 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lpcox