GHES: Wizard should auto-detect GHES and configure GH_HOST, api-target, and allowed domains

[lpcox]

Problem

gh aw add-wizard does not account for GHES repositories. Multiple steps fail:

1. PR creation targets github.com instead of the GHES instance (filed as add-wizard and add --create-pull-request fail to create PR on GitHub Enterprise Server repositories #20875)
2. engine.api-target is not auto-populated from the GHES API URL
3. Firewall allowed domains do not include the GHES hostname or api.<ghes-host>
4. GH_HOST is not set in the generated workflow, so gh CLI commands target github.com
5. Copilot licensing is not validated — the wizard completes successfully even if Copilot is not enabled on the GHES instance

Proposal

When gh aw add-wizard (or gh aw add) detects a GHES remote:

1. Auto-set GH_HOST for the PR creation step (fix for add-wizard and add --create-pull-request fail to create PR on GitHub Enterprise Server repositories #20875)
2. Auto-populate engine.api-target from the detected GITHUB_API_URL
3. Auto-add the GHES hostname and api.<ghes-host> to the firewall allowed domains in the generated lock file
4. Inject a "Configure gh for GHE" step that sets GH_HOST via GITHUB_ENV early in the workflow
5. Validate Copilot access by testing the token exchange endpoint, and warn if Copilot is not enabled

Workarounds we used

• Used gh aw add (not wizard) + manual gh pr create for PR creation
• Manually added GH_HOST configuration step to the lock file
• Manually added contoso-aw.ghe.com and api.contoso-aw.ghe.com to --allow-domains in TWO places in the lock file (the awf command and GH_AW_ALLOWED_DOMAINS env var)

Related

• add-wizard and add --create-pull-request fail to create PR on GitHub Enterprise Server repositories #20875 — Wizard PR creation fails on GHES
• API proxy routes Copilot model requests to GHES API instead of Copilot API on Enterprise Server gh-aw-firewall#1300 — API proxy routing on GHES