feat: add smoke test for Copilot CLI offline BYOK mode

[lpcox]

Summary

Add a new smoke-copilot-byok workflow that validates the Copilot CLI offline BYOK code path through the AWF api-proxy sidecar.

How it works

1. Workflow-level env sets COPILOT_API_KEY: dummy-byok-key-for-offline-mode — a dummy value that triggers AWF's BYOK detection
2. AWF detects COPILOT_API_KEY is present → sets COPILOT_OFFLINE=true + COPILOT_PROVIDER_BASE_URL pointing to the api-proxy sidecar
3. Api-proxy sidecar gets the real COPILOT_GITHUB_TOKEN and uses it for Authorization: Bearer to api.githubcopilot.com (token resolution: COPILOT_GITHUB_TOKEN || COPILOT_API_KEY)
4. Agent sees only the dummy key placeholder — credential isolation preserved
5. Post-step verifies firewall logs show traffic to api.githubcopilot.com

Key design decisions

• No new secrets — uses the existing COPILOT_GITHUB_TOKEN for real auth; the dummy COPILOT_API_KEY just activates offline mode
• Same API target — targets api.githubcopilot.com (default), not a third-party provider, so the test validates the offline code path without requiring external credentials
• Minimal network — only defaults + github (same domains as regular copilot smoke)

New secrets and actions

• COPILOT_API_KEY: Not a real secret — hardcoded dummy value dummy-byok-key-for-offline-mode in workflow env. Used solely to trigger AWF's BYOK/offline mode detection.
• gh-aw-actions/setup@v0.68.3 (ba90f21): New SHA pin added to actions-lock.json by the compiler.

Files

• .github/workflows/smoke-copilot-byok.md — Workflow source
• .github/workflows/smoke-copilot-byok.lock.yml — Compiled lock file (post-processed for local builds)
• .github/aw/actions-lock.json — Updated action pin

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.35%	85.43%	📈 +0.08%
Statements	85.24%	85.33%	📈 +0.09%
Functions	87.96%	87.96%	➡️ +0.00%
Branches	77.95%	78.00%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds a new Agentic Workflow smoke test to exercise the Copilot CLI “offline BYOK” code path (dummy COPILOT_API_KEY triggers AWF offline routing through the api-proxy sidecar) and to record results back to PRs via safe outputs.

Changes:

• Added smoke-copilot-byok workflow source defining the BYOK/offline smoke test and post-run validations.
• Added the compiled workflow lock file for the new workflow.
• Updated the action pin lock to include github/gh-aw-actions/setup@v0.68.3.

Show a summary per file

File	Description
.github/workflows/smoke-copilot-byok.md	New BYOK/offline Copilot smoke workflow definition, including post-step validations.
.github/workflows/smoke-copilot-byok.lock.yml	Compiled/locked workflow generated from the .md source.
.github/aw/actions-lock.json	Adds SHA pin entry for github/gh-aw-actions/setup@v0.68.3.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

.github/workflows/smoke-copilot-byok.md:117

• The “BYOK Inference Test” as written is not actually validating that offline/BYOK routing is in effect; the agent being able to respond would also be true in the normal (non-BYOK) path. To make this test meaningful, have the agent explicitly verify runtime signals like COPILOT_OFFLINE=true and COPILOT_PROVIDER_BASE_URL (or equivalent) from within the sandbox, and/or check that the Copilot CLI is configured to use the proxy base URL.

### 3. BYOK Inference Test
You are running in offline BYOK mode right now. The fact that you can read this prompt and respond means the BYOK inference path (agent → api-proxy sidecar → api.githubcopilot.com) is working. Confirm ✅.

• Files reviewed: 3/3 changed files
• Comments generated: 2

[Copilot]

The BYOK traffic verification is non-blocking: if the firewall logs directory is missing, or if no matching traffic is found, this step still exits 0 (it only emits a warning). That means the workflow can report success without actually validating the offline BYOK path. Consider failing the job when logs are missing or when expected Copilot API traffic is not detected (optionally gating only on PR/workflow_dispatch if flakiness is a concern).

This issue also appears on line 116 of the same file.

Suggested change

	if [ -d "$LOGS_DIR" ]; then
	echo "::group::Checking firewall logs for offline BYOK traffic"
	if find "$LOGS_DIR" -name '*.log' -exec grep -l "api.githubcopilot.com" {} + 2>/dev/null; then
	echo "✅ Detected traffic to api.githubcopilot.com via api-proxy (BYOK offline mode)"
	else
	echo "::warning::No traffic to api.githubcopilot.com found in firewall logs"
	fi
	echo "::endgroup::"
	fi
	if [ ! -d "$LOGS_DIR" ]; then
	echo "::error::Firewall logs directory not found: $LOGS_DIR"
	exit 1
	fi
	echo "::group::Checking firewall logs for offline BYOK traffic"
	MATCHING_LOGS="$(find "$LOGS_DIR" -name '*.log' -exec grep -l "api.githubcopilot.com" {} + 2>/dev/null || true)"
	if [ -z "$MATCHING_LOGS" ]; then
	echo "::error::No traffic to api.githubcopilot.com found in firewall logs"
	echo "::endgroup::"
	exit 1
	fi
	printf '%s\n' "$MATCHING_LOGS"
	echo "✅ Detected traffic to api.githubcopilot.com via api-proxy (BYOK offline mode)"
	echo "::endgroup::"

[Copilot]

The firewall log grep is hardcoded to api.githubcopilot.com, but Copilot traffic may legitimately hit other Copilot API hostnames (e.g., enterprise/business/individual endpoints) depending on environment/config. To avoid false negatives (and then passing due to the warning), consider matching against the effective target (e.g., ${COPILOT_API_TARGET} if set) or a broader pattern/set of allowed Copilot API hosts.

Suggested change

	if find "$LOGS_DIR" -name '*.log' -exec grep -l "api.githubcopilot.com" {} + 2>/dev/null; then
	echo "✅ Detected traffic to api.githubcopilot.com via api-proxy (BYOK offline mode)"
	else
	echo "::warning::No traffic to api.githubcopilot.com found in firewall logs"
	TARGET_HOST="${COPILOT_API_TARGET:-}"
	TARGET_HOST="${TARGET_HOST#http://}"
	TARGET_HOST="${TARGET_HOST#https://}"
	TARGET_HOST="${TARGET_HOST%%/*}"
	COPILOT_API_HOST_PATTERN='(^|[[:space:]])(api|enterprise-api|business-api|individual-api)\.githubcopilot\.com([[:space:]]|$)'
	if [ -n "$TARGET_HOST" ]; then
	if find "$LOGS_DIR" -name '*.log' -exec grep -Fl "$TARGET_HOST" {} + 2>/dev/null; then
	echo "✅ Detected traffic to $TARGET_HOST via api-proxy (BYOK offline mode)"
	else
	echo "::warning::No traffic to $TARGET_HOST found in firewall logs"
	fi
	elif find "$LOGS_DIR" -name '*.log' -exec grep -El "$COPILOT_API_HOST_PATTERN" {} + 2>/dev/null; then
	echo "✅ Detected traffic to a Copilot API host via api-proxy (BYOK offline mode)"
	else
	echo "::warning::No traffic to known Copilot API hosts found in firewall logs"

[github-actions]

Smoke Test Results

✅ GitHub MCP — #1995 fix(api-proxy): fix Gemini API_KEY_INVALID with credential isolation | #1991 Activate smoke-opencode workflow via copilot engine workaround
✅ Playwright — github.com title contains "GitHub"
✅ File Write — /tmp/gh-aw/agent/smoke-test-claude-24485332546.txt created
✅ Bash — file content verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🤖 Smoke Test: OpenCode Engine Validation

Test	Result
GitHub MCP (last 2 merged PRs)	✅
• fix(api-proxy): fix Gemini API_KEY_INVALID with credential isolation (#1995)	✅
• Activate smoke-opencode workflow via copilot engine workaround (#1991)	✅
File writing (smoke-test-opencode-24485332561.txt)	✅
Bash verification (cat file)	✅
Build AWF (npm ci && npm run build)	✅

Overall status: PASS

🌐 Transmitted by Smoke OpenCode

[github-actions]

🔍 Smoke Test Results

Test	Status
GitHub API (merged PRs)	✅ PR #1995: "fix(api-proxy): fix Gemini API_KEY_INVALID with credential isolation"
GitHub.com Connectivity	⚠️ Pre-step data unavailable (template vars not substituted)
File Write/Read	⚠️ Pre-step data unavailable (template vars not substituted)

Overall: ⚠️ PARTIAL — GitHub API connectivity confirmed; pre-step smoke-data outputs were not populated.

PR by @lpcox | No assignees

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test matrix:

• GitHub MCP (last 2 merged PRs): ✅
• safeinputs-gh PR query: ❌
• Playwright (github.com title contains GitHub): ✅
• Tavily search: ❌
• File write/read + bash cat: ✅
• Discussion query + mystical discussion comment: ❌
• Build (npm ci && npm run build): ✅
  PR titles: "fix(api-proxy): fix Gemini API_KEY_INVALID with credential isolation" | "Activate smoke-opencode workflow via copilot engine workaround" | "feat: add smoke test for Copilot CLI offline BYOK mode" | "Mitigate ARG_MAX/E2BIG by rewriting inline prompt expansion to stdin in AWF agent command"
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All connectivity checks passed:

Check	Command	Result
Redis PING	redis-cli -h host.docker.internal -p 6379 PING	✅ PONG
PostgreSQL ready	pg_isready -h host.docker.internal -p 5432	✅ accepting connections
PostgreSQL query	psql ... -c "SELECT 1"	✅ Returns 1

All GitHub Actions service containers are reachable from the AWF sandbox via host.docker.internal.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2003 · ● 807.2K · ◷