Compiler should auto-add GHES domains to --allow-domains when engine.api-target is set

[lpcox]

Problem

When engine.api-target is set in the workflow frontmatter (e.g., api-target: "api.acme.ghe.com" for a GHES instance), the compiler correctly passes this value to the --copilot-api-target flag on the awf command. However, it does not add the GHES hostname or API domain to the firewall allowed domains lists.

This means every GHES user must manually edit the compiled .lock.yml file to add their GHES domains in two places:

1. The --allow-domains flag on the awf command
2. The GH_AW_ALLOWED_DOMAINS environment variable

These manual edits get wiped out on every recompile (e.g., when upgrading from v0.58.1 to v0.59.0), requiring the user to re-apply the same changes each time.

Reproduction

1. Set engine.api-target: "api.acme.ghe.com" in a workflow .md file
2. Run gh aw compile
3. Inspect the generated .lock.yml:
   • --copilot-api-target api.acme.ghe.com ✅ present
   • --allow-domains list ❌ does NOT contain acme.ghe.com or api.acme.ghe.com
   • GH_AW_ALLOWED_DOMAINS ❌ does NOT contain acme.ghe.com or api.acme.ghe.com
4. The firewall blocks requests to the GHES API on the first run

Proposed Solution

When engine.api-target is set, the compiler should automatically:

1. Parse the hostname from the api-target value (e.g., api.acme.ghe.com → base hostname acme.ghe.com)
2. Add both domains to --allow-domains: the API domain (api.acme.ghe.com) and the base hostname (acme.ghe.com)
3. Add both domains to GH_AW_ALLOWED_DOMAINS to keep the two lists in sync
4. Apply this to all --allow-domains / GH_AW_ALLOWED_DOMAINS occurrences in the lock file (there are multiple — the main agent job, the threat detection job, and the collect output step)

This would make GHES workflows work out of the box without manual lock file edits that get lost on recompile.

Impact

Without this fix, every gh aw compile or version upgrade wipes out the GHES domain additions, breaking the workflow. We hit this when upgrading from v0.58.1 → v0.59.0: the recompile removed our manually-added contoso-aw.ghe.com and api.contoso-aw.ghe.com domains, and the next run failed because the firewall blocked requests to the GHES API.

Workaround

After each gh aw compile, manually add the GHES domains to both --allow-domains and GH_AW_ALLOWED_DOMAINS in the lock file. This is error-prone and must be repeated after every recompile.

Related Issues

• GHES: Wizard should auto-detect GHES and configure GH_HOST, api-target, and allowed domains #20965 — Wizard should auto-detect GHES and configure domains
• GHES: Auto-populate firewall allowed domains when engine.api-target is set gh-aw-firewall#1301 — Auto-populate firewall allowed domains for GHES
• API proxy routes Copilot model requests to GHES API instead of Copilot API on Enterprise Server gh-aw-firewall#1300 — API proxy routes Copilot requests to wrong server on GHES