You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs-site/src/content/docs/reference/cli-reference.md
+7-21Lines changed: 7 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -893,18 +893,18 @@ Use `--log-level debug` to see which enterprise domains were auto-detected. Look
893
893
894
894
AWF reads several environment variables that influence its behavior. These are grouped by purpose.
895
895
896
-
### Auto-Detection
896
+
### Credentials (API Proxy Sidecar)
897
897
898
-
These variables are read by AWF to automatically add required domains to the allowlist, particularly for GitHub Enterprise Cloud (GHEC) and GitHub Enterprise Server (GHES) deployments.
898
+
These variables supply API credentials to the API proxy sidecar when `--enable-api-proxy` is active.
899
899
900
900
| Variable | Description |
901
901
|----------|-------------|
902
-
| `GITHUB_SERVER_URL` | GHEC tenant URL. When set to a `*.ghe.com` host, AWF auto-adds the tenant and API domains to the allowlist. |
903
-
| `GITHUB_API_URL` | GHEC API URL. Auto-added to the allowlist when the host matches `*.ghe.com`. |
904
-
| `ENGINE_API_TARGET` | GHES API URL. The hostname is extracted and GHES-related domains are added to the allowlist. |
902
+
| `OPENAI_API_KEY` | OpenAI API key — held securely in the api-proxy sidecar |
903
+
| `ANTHROPIC_API_KEY` | Anthropic API key — held securely in the api-proxy sidecar |
904
+
| `COPILOT_GITHUB_TOKEN` | GitHub Copilot token — held securely in the api-proxy sidecar |
905
905
906
-
:::note
907
-
These variables are typically set automatically by GitHub Actions runners. You do not need to configure them manually in most cases.
906
+
:::danger[Credential Isolation]
907
+
When `--enable-api-proxy` is active, these credentials are **never exposed to the agent container**. They are held exclusively in the api-proxy sidecar, which injects them into outbound requests on the agent's behalf.
908
908
:::
909
909
910
910
### API Target Overrides
@@ -925,20 +925,6 @@ These variables provide an alternative to the corresponding CLI flags for config
925
925
|----------|----------|-------------|
926
926
| `AWF_AUDIT_DIR` | `--audit-dir` | Directory for audit artifacts |
927
927
928
-
### Credentials (API Proxy Sidecar)
929
-
930
-
These variables supply API credentials to the API proxy sidecar when `--enable-api-proxy` is active.
931
-
932
-
| Variable | Description |
933
-
|----------|-------------|
934
-
| `OPENAI_API_KEY` | OpenAI API key — held securely in the api-proxy sidecar |
935
-
| `ANTHROPIC_API_KEY` | Anthropic API key — held securely in the api-proxy sidecar |
936
-
| `COPILOT_GITHUB_TOKEN` | GitHub Copilot token — held securely in the api-proxy sidecar |
937
-
938
-
:::danger[Credential Isolation]
939
-
When `--enable-api-proxy` is active, these credentials are **never exposed to the agent container**. They are held exclusively in the api-proxy sidecar, which injects them into outbound requests on the agent's behalf.
0 commit comments