docs: add AWF pipeline environment variable lifecycle reference#2781
Merged
docs: add AWF pipeline environment variable lifecycle reference#2781
Conversation
…eference Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/7aba1f1b-50c7-49de-89ee-b648994049b7 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add comprehensive map of environment variables for GitHub API proxying
docs: add AWF pipeline environment variable lifecycle reference
Mar 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new unified documentation reference describing how environment variables propagate and are transformed across the gh-aw ↔ AWF execution pipeline, with emphasis on preventing DIFC-proxy–rewritten values from leaking into agent containers.
Changes:
- Introduces
docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.mdwith stage-by-stage env var tables and lifecycle diagram. - Documents known gaps (e.g.,
GITHUB_API_URL/GITHUB_GRAPHQL_URLleakage under--env-all, incomplete one-shot token coverage). - Describes API proxy sidecar split, Copilot API target derivation, and variable precedence.
Comments suppressed due to low confidence (2)
docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.md:121
- References to
deriveCopilotApiTarget()inserver.js(and similarlyextractGhecDomainsFromServerUrl()incli.tsbelow) point to files that are not in this repo. Please add a link to the external source (repo + path), or adjust the wording to avoid implying the code is located here.
The `deriveCopilotApiTarget()` function in the API proxy sidecar (`server.js`) resolves the upstream Copilot API endpoint using the following three-tier priority:
docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.md:287
- Cross-repo references like
gh-aw-firewall#1492/gh-aw#23461may not auto-link from this repo and are ambiguous without an owner. Prefer fully-qualified refs (e.g.,github/gh-aw-firewall#1492,github/gh-aw#23461) or full URLs so readers can click through reliably.
- gh-aw-firewall#1492 — `GH_HOST` proxy passthrough bug
- github/gh-aw-mcpg#1493 — PR implementing `GH_HOST` sanitization
- gh-aw-firewall#1452 — `GH_HOST` auto-injection interaction with `--env-all`
- gh-aw-firewall#1481 — `--env-all` exposing secrets; one-shot token list incomplete
- gh-aw#23461 — User-reported `GH_HOST` breakage
- gh-aw#23092 — Safe outputs env vars not reaching agent container
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## 4. AWF Proxy Variables (Agent Container) | ||
|
|
||
| AWF's `docker-manager.ts` generates these environment variables for the **agent container** via `docker-compose.yml`. |
There was a problem hiding this comment.
This doc cites implementation files like docker-manager.ts / docker-compose.yml generation. Those files don’t exist in this repository, so readers can’t trace the source. Consider linking to the AWF repository/path (or explicitly stating the repo + commit/branch) where these files live, to keep the reference actionable.
This issue also appears in the following locations of the same file:
- line 120
- line 282
Suggested change
| AWF's `docker-manager.ts` generates these environment variables for the **agent container** via `docker-compose.yml`. | |
| Within the separate AWF service (implemented outside this repository), the `docker-manager.ts` component generates these environment variables for the **agent container** via its `docker-compose.yml` definition. |
This was referenced Mar 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The environment variable landscape across the gh-aw ↔ AWF pipeline (Actions runner → DIFC proxy → compiler → AWF → agent container) was entirely undocumented as a unified lifecycle, causing repeated production issues where DIFC-rewritten values (e.g.
GH_HOST=localhost:18443,GITHUB_API_URL=https://localhost:18443/...) leaked into agent containers.Adds
docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.mdcovering:GH_HOSTis sanitized fromGITHUB_SERVER_URL, and the remaining gap whereGITHUB_API_URL/GITHUB_GRAPHQL_URLmay still carry DIFC-rewritten localhost values under--env-allCOPILOT_API_TARGETthree-tier derivation rules per instance typeEXCLUDED_ENV_VARS— always-excluded base set,--enable-api-proxyadditions, and variables that are not excluded but require active sanitizationGITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN)--env-all→--env-file→--env→ post-processing overrides)Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
example.com/tmp/go-build73518018/b334/launcher.test /tmp/go-build73518018/b334/launcher.test -test.testlogfile=/tmp/go-build73518018/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 1654�� ache/go/1.25.8/x64/src/runtime/c-c=4(dns block)invalid-host-that-does-not-exist-12345.com/tmp/go-build73518018/b319/config.test /tmp/go-build73518018/b319/config.test -test.testlogfile=/tmp/go-build73518018/b319/testlog.txt -test.paniconexit0 -test.timeout=10m0s abis�� ternal/engine/interpreter/compiler.go ternal/engine/interpreter/format.go x_amd64/compile(dns block)nonexistent.local/tmp/go-build73518018/b334/launcher.test /tmp/go-build73518018/b334/launcher.test -test.testlogfile=/tmp/go-build73518018/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 1654�� ache/go/1.25.8/x64/src/runtime/c-c=4(dns block)slow.example.com/tmp/go-build73518018/b334/launcher.test /tmp/go-build73518018/b334/launcher.test -test.testlogfile=/tmp/go-build73518018/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 1654�� ache/go/1.25.8/x64/src/runtime/c-c=4(dns block)this-host-does-not-exist-12345.com/tmp/go-build73518018/b343/mcp.test /tmp/go-build73518018/b343/mcp.test -test.testlogfile=/tmp/go-build73518018/b343/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� rotocol/go-sdk@v1.4.1/mcp/client.go rotocol/go-sdk@v1.4.1/mcp/cmd.go x_amd64/vet -I /tmp/go-build270--version -I x_amd64/vet -I g_.a 1654201/b151/ x_amd64/vet -o ernal/proxy /tmp/ccnzrWtf.s x_amd64/vet(dns block)If you need me to access, download, or install something from one of these locations, you can either:
📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.