feat: forward OIDC env vars into agent container

[Copilot]

MCP servers with auth.type: 'github-oidc' fail inside the AWF agent container because ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are not in the default env var allowlist. Only --env-all would pick them up.

Changes

• src/docker-manager.ts: Forward both OIDC variables in the default (non---env-all) env forwarding block, conditional on presence — same pattern as GITHUB_TOKEN, GITHUB_SERVER_URL, etc.
• src/docker-manager.test.ts: Three tests covering forwarding when present and omission when absent.

// GitHub Actions OIDC — required for MCP servers with auth.type: 'github-oidc'
if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) environment.ACTIONS_ID_TOKEN_REQUEST_URL = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
if (process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) environment.ACTIONS_ID_TOKEN_REQUEST_TOKEN = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;

No domain allowlist changes needed — callers using OIDC must already have token.actions.githubusercontent.com in --allow-domains.

[Copilot]

Pull request overview

This PR fixes GitHub Actions OIDC-based authentication inside the AWF agent container by forwarding the Actions OIDC environment variables in the default (non---env-all) env passthrough logic.

Changes:

• Forward ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN into the agent container when present.
• Add unit tests to verify both variables are forwarded when set and omitted when absent.

Show a summary per file

File	Description
src/docker-manager.ts	Adds conditional forwarding for GitHub Actions OIDC env vars in the default env passthrough block.
src/docker-manager.test.ts	Adds tests covering OIDC env var forwarding/omission behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.21%	86.32%	📈 +0.11%
Statements	86.09%	86.20%	📈 +0.11%
Functions	87.45%	87.45%	➡️ +0.00%
Branches	78.81%	78.90%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.5% → 86.9% (+0.40%)	86.1% → 86.5% (+0.42%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

✅ GitHub MCP: fix: add retry logic to apt-get upgrade in agent Dockerfile (#1781), fix: share mcpg network namespace to fix TLS hostname verification (#1778)
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24142200186.txt created
✅ Bash: File verified via cat

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING (host.docker.internal:6379)	✅ +PONG
PostgreSQL ready (pg_isready)	✅ accepting connections
PostgreSQL SELECT 1 (smoketest db)	✅ returned 1

All checks passed. (redis-cli was unavailable; Redis verified via raw socket with nc.)

🔌 Service connectivity validated by Smoke Services

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: FAILED — Python and Node.js versions differ between host and chroot environment. Go matches. The smoke-chroot label was not applied.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results (Codex)

• PR titles: "fix: share mcpg network namespace to fix TLS hostname verification"; "fix: add retry logic to apt-get upgrade in agent Dockerfile"
• GitHub MCP last 2 merged PRs: ✅
• safeinputs-gh PR query: ❌
• Playwright github.com title check: ❌
• Tavily search: ❌
• File write + cat verify: ✅
• Discussion interaction + mystical oracle comment: ❌
• AWF build (npm ci && npm run build): ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🤖 Smoke Test Results — PASS

Test	Result
GitHub MCP (list PRs)	✅
GitHub.com HTTP	✅ 200
File write/read	✅

PR: feat: forward OIDC env vars into agent container
Author: @Copilot | Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot