-
Notifications
You must be signed in to change notification settings - Fork 366
[docs] docs: reduce bloat in engines.md (21% reduction) #27142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+11
−96
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -158,9 +158,14 @@ The specified hostname must also be listed in `network.allowed` for the firewall | |||||
|
|
||||||
| #### Custom API Endpoints via Environment Variables | ||||||
|
|
||||||
| Three environment variables receive special treatment when set in `engine.env`: `OPENAI_BASE_URL` (for `codex` and `crush`), `ANTHROPIC_BASE_URL` (for `claude`), `GITHUB_COPILOT_BASE_URL` (for `copilot`), and `GEMINI_API_BASE_URL` (for `gemini`). When any of these is present, the API proxy automatically routes API calls to the specified host instead of the default endpoint. Firewall enforcement remains active, but this routing layer is not a separate authentication boundary for arbitrary code already running inside the agent container. | ||||||
| Set a base URL environment variable in `engine.env` to route API calls to an internal LLM router, Azure OpenAI deployment, or corporate proxy. AWF automatically extracts the hostname and applies it to the API proxy. The target domain must also appear in `network.allowed`. | ||||||
|
|
||||||
| This enables workflows to use internal LLM routers, Azure OpenAI deployments, corporate Copilot proxies, or other compatible endpoints without bypassing AWF's security model. | ||||||
| | Engine | Environment variable | | ||||||
| |--------|---------------------| | ||||||
| | `codex`, `crush` | `OPENAI_BASE_URL` | | ||||||
| | `claude` | `ANTHROPIC_BASE_URL` | | ||||||
| | `copilot` | `GITHUB_COPILOT_BASE_URL` | | ||||||
| | `gemini` | `GEMINI_API_BASE_URL` | | ||||||
|
|
||||||
| ```yaml wrap | ||||||
| engine: | ||||||
|
|
@@ -173,74 +178,10 @@ engine: | |||||
| network: | ||||||
| allowed: | ||||||
| - github.com | ||||||
| - llm-router.internal.example.com # must be listed here for the firewall to permit outbound requests | ||||||
| - llm-router.internal.example.com | ||||||
| ``` | ||||||
|
|
||||||
| For Claude workflows routed through a custom Anthropic-compatible endpoint: | ||||||
|
|
||||||
| ```yaml wrap | ||||||
| engine: | ||||||
| id: claude | ||||||
| env: | ||||||
| ANTHROPIC_BASE_URL: "https://anthropic-proxy.internal.example.com" | ||||||
| ANTHROPIC_API_KEY: ${{ secrets.PROXY_API_KEY }} | ||||||
|
|
||||||
| network: | ||||||
| allowed: | ||||||
| - github.com | ||||||
| - anthropic-proxy.internal.example.com | ||||||
| ``` | ||||||
|
|
||||||
| For Copilot workflows routed through a custom Copilot-compatible endpoint (e.g., a corporate proxy or a GHE Cloud data residency instance): | ||||||
|
|
||||||
| ```yaml wrap | ||||||
| engine: | ||||||
| id: copilot | ||||||
| env: | ||||||
| GITHUB_COPILOT_BASE_URL: "https://copilot-proxy.corp.example.com" | ||||||
|
|
||||||
| network: | ||||||
| allowed: | ||||||
| - github.com | ||||||
| - copilot-proxy.corp.example.com | ||||||
| ``` | ||||||
|
|
||||||
| `GITHUB_COPILOT_BASE_URL` is used as a fallback when `engine.api-target` is not explicitly set. If both are configured, `engine.api-target` takes precedence. | ||||||
|
|
||||||
| For Gemini workflows routed through a custom Gemini-compatible endpoint: | ||||||
|
|
||||||
| ```yaml wrap | ||||||
| engine: | ||||||
| id: gemini | ||||||
| env: | ||||||
| GEMINI_API_BASE_URL: "https://gemini-proxy.internal.example.com" | ||||||
| GEMINI_API_KEY: ${{ secrets.PROXY_API_KEY }} | ||||||
|
|
||||||
| network: | ||||||
| allowed: | ||||||
| - github.com | ||||||
| - gemini-proxy.internal.example.com | ||||||
| ``` | ||||||
|
|
||||||
| The custom hostname is extracted from the URL and passed to the AWF `--openai-api-target`, `--anthropic-api-target`, `--copilot-api-target`, or `--gemini-api-target` flag automatically at compile time. No additional configuration is required. | ||||||
|
|
||||||
| For Crush workflows routed through a custom OpenAI-compatible endpoint: | ||||||
|
|
||||||
| ```yaml wrap | ||||||
| engine: | ||||||
| id: crush | ||||||
| model: openai/gpt-4o | ||||||
| env: | ||||||
| OPENAI_BASE_URL: "https://openai-proxy.internal.example.com/v1" | ||||||
| OPENAI_API_KEY: ${{ secrets.PROXY_API_KEY }} | ||||||
|
|
||||||
| network: | ||||||
| allowed: | ||||||
| - github.com | ||||||
| - openai-proxy.internal.example.com | ||||||
| ``` | ||||||
|
|
||||||
| Crush uses the OpenAI-compatible API format by default (via Copilot routing). The `model` field uses a `provider/model` format — the provider prefix determines which API domains are added to the firewall allowlist. | ||||||
| `GITHUB_COPILOT_BASE_URL` is a fallback — if both it and `engine.api-target` are set, `engine.api-target` takes precedence. Crush uses OpenAI-compatible API format; its `model` field uses `provider/model` format (e.g., `openai/gpt-4o`). | ||||||
|
||||||
| `GITHUB_COPILOT_BASE_URL` is a fallback — if both it and `engine.api-target` are set, `engine.api-target` takes precedence. Crush uses OpenAI-compatible API format; its `model` field uses `provider/model` format (e.g., `openai/gpt-4o`). | |
| `GITHUB_COPILOT_BASE_URL` is a fallback — if both it and `engine.api-target` are set, `engine.api-target` takes precedence. Crush uses OpenAI-compatible API format; its `model` field uses `provider/model` format (e.g., `openai/gpt-4o`). The `provider` prefix matters operationally: it determines which provider-specific API domains are added to the firewall allowlist. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text says “AWF automatically extracts the hostname …”. In practice the hostname (and path) extraction happens in gh-aw when building the AWF invocation args (e.g.,
pkg/workflow/awf_helpers.go), and AWF just receives--*-api-target/--*-api-base-path. Consider rewording to reflect that gh-aw/compilation configures the proxy (and optionally mention that path components are forwarded via the corresponding--*-api-base-pathflag).