fix: propagate GH_HOST to custom frontmatter jobs and safe-outputs for GHES/GHEC#21523
Merged
fix: propagate GH_HOST to custom frontmatter jobs and safe-outputs for GHES/GHEC#21523
Conversation
…r GHES/GHEC The gh CLI uses GH_HOST to determine which GitHub instance to target. The agent job already sets GH_HOST via configure_gh_for_ghe.sh, but custom frontmatter jobs (independent GitHub Actions jobs defined in the workflow markdown) and the safe-outputs job run on separate runners and don't inherit GITHUB_ENV from the agent job. This adds a lightweight inline step that derives GH_HOST from GITHUB_SERVER_URL (stripping the https:// prefix) and exports it to GITHUB_ENV at the start of: - Custom frontmatter jobs with steps (not reusable workflow jobs) - The consolidated safe-outputs job On github.com this is a harmless no-op (GH_HOST=github.com). On GHES/GHEC it ensures every gh CLI command in the job targets the correct enterprise instance. Relates to: #18480 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures GH_HOST is set for GitHub Enterprise Server / Enterprise Cloud runs in jobs that don’t inherit GITHUB_ENV from the agent job, so gh CLI invocations target the correct host.
Changes:
- Added a reusable helper to generate an inline “Configure GH_HOST” step derived from
GITHUB_SERVER_URL. - Prepended that step to custom frontmatter jobs and inserted it into the consolidated safe-outputs job.
- Recompiled workflow lockfiles to include the new step in affected jobs.
Reviewed changes
Copilot reviewed 173 out of 173 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/ghes_host_step.go | Adds helper to emit an inline step that sets GH_HOST via GITHUB_ENV. |
| pkg/workflow/ghes_host_step_test.go | Adds unit tests for step content and injection behavior (including reusable workflow exclusion). |
| pkg/workflow/compiler_jobs.go | Prepends the GH_HOST configuration step to custom jobs that define steps. |
| pkg/workflow/compiler_safe_outputs_job.go | Inserts the GH_HOST configuration step into the consolidated safe-outputs job before user steps. |
| .github/workflows/*.lock.yml | Recompiled locked workflows to include the new GH_HOST configuration step where applicable. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+21
to
+27
| return ` - name: Configure GH_HOST for enterprise compatibility | ||
| run: | | ||
| # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct | ||
| # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. | ||
| GH_HOST="${GITHUB_SERVER_URL#https://}" | ||
| GH_HOST="${GH_HOST#http://}" | ||
| echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" |
Collaborator
Author
There was a problem hiding this comment.
@copilot apply changes based on this feedback
Contributor
There was a problem hiding this comment.
Added shell: bash to the generated step in d35fc86. The step now explicitly specifies bash, ensuring Bash-style parameter expansion (${VAR#prefix}) works correctly even on Windows runners that default to pwsh.
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Contributor
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
github-actions bot
added a commit
that referenced
this pull request
Mar 18, 2026
- cli.md: document that custom frontmatter jobs and safe-outputs now automatically have GH_HOST configured (from PR #21523). Remove the instruction to manually source configure_gh_for_ghe.sh for GH_HOST. Note that when GH_TOKEN is set the script skips gh auth login (PR #21525). - common-issues.md: add "GitHub Enterprise Server Issues" section with Copilot prerequisites checklist (GitHub Connect, licensing, seats, token type) and a troubleshooting table for common GHES error messages (400 Bad Request, 403 not licensed, 403 PAT, Could not resolve Repository, firewall blocks, wizard PR on wrong host). Closes #20968 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced Mar 18, 2026
Merged
github-actions bot
added a commit
that referenced
this pull request
Mar 18, 2026
Add two new terms identified from recent commits: - GH_HOST: gh CLI env var for GHES/GHEC enterprise hostname routing, auto-configured by configure_gh_for_ghe.sh and propagated to custom frontmatter jobs and safe-outputs (PRs #21523, #21525) - RUNNER_TEMP / runner.temp: GitHub Actions temp dir used for storing gh-aw runtime artifacts, replacing /opt/gh-aw for self-hosted runner compatibility (PR #21443) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a workflow runs on GHES/GHEC, the
ghCLI needsGH_HOSTset to the enterprise hostname. The agent job already handles this viaconfigure_gh_for_ghe.sh, but custom frontmatter jobs and the safe-outputs job run as independent GitHub Actions jobs that don't inheritGITHUB_ENVfrom the agent job.Relates to #18480
Solution
Add a lightweight inline step at the start of custom frontmatter jobs and the safe-outputs job:
ghCLI targets the correct enterprise instanceChanges
pkg/workflow/ghes_host_step.gogenerateGHESHostConfigurationStep()pkg/workflow/ghes_host_step_test.gopkg/workflow/compiler_jobs.gopkg/workflow/compiler_safe_outputs_job.go*.lock.yml(169 files)