docs: add GHE Cloud data residency debugging guide#21993
Merged
Conversation
Add docs/troubleshooting/debug-ghe.md with step-by-step setup and debugging instructions for running agentic workflows on GHE Cloud with data residency (*.ghe.com). Content sourced from the debugging discussion in #18480. Cross-references added from: - troubleshooting/common-issues.md (GHES section) - reference/engines.md (api-target section) - setup/cli.md (GHES support section) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new troubleshooting guide for running Agentic Workflows on GitHub Enterprise Cloud (data residency, *.ghe.com) and links to it from existing setup/reference pages.
Changes:
- Added a new step-by-step “Debugging GHE Cloud with Data Residency” guide, including troubleshooting and advanced diagnostics.
- Linked the new guide from existing troubleshooting, CLI setup, and engine reference docs.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docs/src/content/docs/troubleshooting/debug-ghe.md | New end-to-end debugging/setup guide for GHEC data residency, including auth, api-target configuration, and network troubleshooting. |
| docs/src/content/docs/troubleshooting/common-issues.md | Adds a tip linking to the new GHEC data residency debugging guide. |
| docs/src/content/docs/setup/cli.md | Adds a link to the new GHEC data residency debugging guide from the CLI/GHES support section. |
| docs/src/content/docs/reference/engines.md | Adds a cross-reference to the new GHEC data residency debugging guide from the api-target docs. |
Comments suppressed due to low confidence (1)
docs/src/content/docs/troubleshooting/debug-ghe.md:200
- In “Capturing HTTP Traffic” you note the Copilot CLI also contacts
api.githubcopilot.com, but the “Required Domains Reference” table doesn’t mention it. Ifapi.githubcopilot.comis required but already covered bydefaults, add a row stating that (and that it’s auto-allowed viadefaults) to avoid ambiguity when users are building strict allow-lists.
The traffic capture reveals the four domains the CLI uses on data residency:
| Domain | Purpose |
|--------|---------|
| `api.yourorg.ghe.com` | REST API, Copilot auth (`/copilot_internal/user`) |
| `copilot-api.yourorg.ghe.com` | Inference, model listing, MCP |
| `copilot-telemetry-service.yourorg.ghe.com` | Telemetry |
| `api.githubcopilot.com` | Shared Copilot services |
### Advanced: Checking Firewall Logs
Download the workflow run artifacts and inspect `sandbox/firewall/logs/access.log`. Each line shows whether a domain was allowed (`TCP_TUNNEL`) or blocked (`DENIED`). Verify that your `yourorg.ghe.com` domains appear as `TCP_TUNNEL`.
## Required Domains Reference
For GHE Cloud with data residency, the following domains must be reachable from inside the AWF sandbox. The compiler adds most of these automatically when `api-target` is set:
| Domain | Auto-added by compiler? | Required for |
|--------|:-----------------------:|-------------|
| `yourorg.ghe.com` | ✅ | Git, web UI |
| `api.yourorg.ghe.com` | ✅ | REST API, Copilot auth |
| `copilot-api.yourorg.ghe.com` | ✅ | Inference, models, MCP |
| `copilot-telemetry-service.yourorg.ghe.com` | ❌ (add manually if needed) | Telemetry |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
308
to
+312
| ## GitHub Enterprise Server Issues | ||
|
|
||
| > [!TIP] | ||
| > For a complete walkthrough of setting up and debugging workflows on **GHE Cloud with data residency** (`*.ghe.com`), see [Debugging GHE Cloud with Data Residency](/gh-aw/troubleshooting/debug-ghe/). | ||
|
|
There was a problem hiding this comment.
This tip is under the “GitHub Enterprise Server Issues” section but links to a guide specifically about GitHub Enterprise Cloud data residency (*.ghe.com). That’s likely to confuse readers looking for GHES-only troubleshooting. Consider moving this link to a GHEC-specific section (or renaming the section to cover both GHES and GHEC) so the document structure matches the content.
Comment on lines
+150
to
+160
| ```yaml | ||
| - name: Test Copilot CLI directly | ||
| env: | ||
| GH_HOST: yourorg.ghe.com | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| echo "GH_HOST=$GH_HOST" | ||
| echo "GITHUB_SERVER_URL=$GITHUB_SERVER_URL" | ||
| /usr/local/bin/copilot --version | ||
| /usr/local/bin/copilot --prompt "Say hello" --log-level all 2>&1 | head -50 | ||
| ``` |
There was a problem hiding this comment.
This runner diagnostic step sets GH_TOKEN: ${{ github.token }}. The built-in github.token/GITHUB_TOKEN typically won’t have Copilot entitlements, so this check may fail even when the COPILOT_GITHUB_TOKEN PAT is valid. Use the same auth mechanism as the workflow’s Execute step (e.g., COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}) or explicitly note that GH_TOKEN here must be a PAT with Copilot access.
This issue also appears on line 177 of the same file.
Collaborator
Author
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Contributor
Add docs/troubleshooting/debugging.md with comprehensive debugging instructions for github.com users. Covers: - Using the Copilot CLI to debug workflows (launch, /agent, paste URL) - Alternative debugging via Copilot Chat and any coding agent - CLI commands: gh aw audit, gh aw logs, gh aw health, gh aw mcp inspect - Common errors: auth failures, missing tools, firewall blocks, safe-outputs issues, compilation errors - Advanced: debug logging, Actions debug mode, firewall log inspection, artifact analysis Cross-reference added from common-issues.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
github-actions bot
added a commit
that referenced
this pull request
Mar 21, 2026
Adds the 🌍 Community Contributions table with 5 confirmed attributions linking community-labeled issues to their resolving PRs: - #21630 (@Mossaka) → #21655 sparse-checkout support docs - #21243 (@holwerda) → #21286 github-app auth in dependencies - #20299 (@grahame-white) → #20300 fix gh aw upgrade lock files - #20249 (@mvdbos) → #20301 cross-repo workflow_call validation - #18480 (@JoshGreenslade) → #21993 GHE Cloud data residency docs Also flags 241 community-labeled issues as attribution candidates needing manual review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a comprehensive debugging guide for running agentic workflows on GHE Cloud with data residency (
*.ghe.com).Content sourced from the debugging discussion in #18480 (comment).
Changes
docs/troubleshooting/debug-ghe.md— Step-by-step setup (init → add → configure api-target → compile → run) and troubleshooting (auth failures, GH_HOST issues, firewall logs, HTTP traffic capture, required domains reference)troubleshooting/common-issues.md— GHES section tip boxreference/engines.md— api-target section linksetup/cli.md— GHES support section linkThe troubleshooting sidebar is autogenerated, so the new page appears automatically.
Closes #18480