fix: restore GITHUB_API_URL in agent container when api-proxy is enabled#1420
Merged
lpcox merged 2 commits intofix/claude-api-key-helper-settings-pathfrom Mar 24, 2026
Conversation
Root cause: commit 5a56789 excluded GITHUB_API_URL from the agent container when api-proxy is enabled, based on the incorrect theory that its presence would cause the Copilot CLI to route token exchange through api.github.com with the placeholder token. Evidence from CI logs: successful runs (worktree-audit-observability) had GITHUB_API_URL present and worked; all failing runs lacked it and failed immediately with "Authentication failed" after ~1.2 seconds. The Copilot CLI needs GITHUB_API_URL to locate the GitHub API. Its Copilot-specific calls (token exchange, inference) already route through COPILOT_API_URL → api-proxy regardless of GITHUB_API_URL being set. Fix: - Remove EXCLUDED_ENV_VARS.add('GITHUB_API_URL') from api-proxy block - Change conditional GITHUB_API_URL assignment to unconditional - Update test to expect GITHUB_API_URL present even with api-proxy enabled Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/db4a1afe-02b9-43f2-bfae-41febbcbc8b5
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions workflow agent
fix: restore GITHUB_API_URL in agent container when api-proxy is enabled
Mar 24, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Restores forwarding of GITHUB_API_URL into the agent container even when --enable-api-proxy is enabled, fixing Copilot CLI authentication regressions caused by removing that env var from the container environment.
Changes:
- Stop excluding
GITHUB_API_URLfrom the agent environment when api-proxy is enabled. - Make
GITHUB_API_URLforwarding unconditional (when set) ingenerateDockerCompose. - Update the unit test expectation so
GITHUB_API_URLis present alongsideCOPILOT_API_URLunder--env-all.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/docker-manager.ts | Ensures GITHUB_API_URL is no longer excluded/conditionally forwarded when api-proxy is enabled. |
| src/docker-manager.test.ts | Updates unit test to expect GITHUB_API_URL to be present with api-proxy + envAll. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+591
to
+596
| // GITHUB_API_URL — always pass when set. The Copilot CLI needs it to locate the GitHub API | ||
| // (especially on GHES/GHEC where the URL differs from api.github.com). | ||
| // Copilot-specific API calls (inference and token exchange) always route through | ||
| // COPILOT_API_URL → api-proxy when api-proxy is enabled, so GITHUB_API_URL does not | ||
| // interfere with credential isolation. | ||
| if (process.env.GITHUB_API_URL) environment.GITHUB_API_URL = process.env.GITHUB_API_URL; |
There was a problem hiding this comment.
This change makes GITHUB_API_URL available in the agent when --enable-api-proxy is on, but the integration test tests/integration/api-proxy.test.ts still asserts the opposite ("should exclude GITHUB_API_URL…"). That test will now fail in CI (Integration Tests workflow runs --testPathPatterns="api-proxy"), so it should be updated/renamed to reflect the new intended behavior (expect GITHUB_API_URL to be present).
This comment has been minimized.
This comment has been minimized.
Contributor
|
🔮 The ancient spirits stir; the smoke run has been read in the stars.
Warning
|
Mossaka
pushed a commit
that referenced
this pull request
Mar 25, 2026
….1.81+ (#1414) * fix: write apiKeyHelper to ~/.claude/settings.json for Claude Code v2.1.81+ Claude Code v2.1.81+ reads apiKeyHelper from ~/.claude/settings.json instead of ~/.claude.json. The entrypoint now writes to both paths for backward/forward compatibility. Fixes: github/gh-aw#22713 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * [WIP] Fix the failing GitHub Actions workflow agent (#1418) * Initial plan * fix: preserve existing claude config when merging apiKeyHelper Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/6efe3da1-78c0-44c2-b7ce-06b070ab91b8 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled (#1419) * Initial plan * fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled Regression introduced in commit 9761e87 (PR #1305) re-added an unconditional GITHUB_API_URL assignment that PR #1303 had fixed. Combined with the missing EXCLUDED_ENV_VARS entry for the --env-all code path, GITHUB_API_URL was leaking into the agent container when api-proxy is enabled. With GITHUB_API_URL present in the agent, the Copilot CLI routes its token exchange to api.github.com/copilot_internal/v2/token using the placeholder COPILOT_GITHUB_TOKEN instead of going through COPILOT_API_URL → api-proxy (which injects the real token), causing a 401 authentication failure. Fix: - Add GITHUB_API_URL to EXCLUDED_ENV_VARS when api-proxy is enabled (covers the --env-all path used by build-test.lock.yml) - Replace the duplicate unconditional assignment with the correct conditional version that was already present below it (from PR #1303) Tests: - should not leak GITHUB_API_URL to agent when api-proxy is enabled with envAll - should pass GITHUB_API_URL to agent when api-proxy is NOT enabled with envAll See: github/gh-aw#20875 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * fix: restore GITHUB_API_URL in agent container when api-proxy is enabled (#1420) * Initial plan * fix: restore GITHUB_API_URL in agent container when api-proxy is enabled Root cause: commit 5a56789 excluded GITHUB_API_URL from the agent container when api-proxy is enabled, based on the incorrect theory that its presence would cause the Copilot CLI to route token exchange through api.github.com with the placeholder token. Evidence from CI logs: successful runs (worktree-audit-observability) had GITHUB_API_URL present and worked; all failing runs lacked it and failed immediately with "Authentication failed" after ~1.2 seconds. The Copilot CLI needs GITHUB_API_URL to locate the GitHub API. Its Copilot-specific calls (token exchange, inference) already route through COPILOT_API_URL → api-proxy regardless of GITHUB_API_URL being set. Fix: - Remove EXCLUDED_ENV_VARS.add('GITHUB_API_URL') from api-proxy block - Change conditional GITHUB_API_URL assignment to unconditional - Update test to expect GITHUB_API_URL present even with api-proxy enabled Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/db4a1afe-02b9-43f2-bfae-41febbcbc8b5 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
This was referenced Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit 5a56789 incorrectly excluded
GITHUB_API_URLfrom the agent container when--enable-api-proxyis active, causing the Copilot CLI to fail immediately with "Authentication failed". The Copilot CLI needsGITHUB_API_URLto locate the GitHub API; it already routes Copilot-specific calls (token exchange, inference) throughCOPILOT_API_URL → api-proxyregardless.Evidence
Comparing the failing branch against a successful run (
worktree-audit-observability):GITHUB_API_URLin containerChanges
src/docker-manager.ts: RemoveEXCLUDED_ENV_VARS.add('GITHUB_API_URL')from the api-proxy block; make theGITHUB_API_URLforwarding unconditional (matches the working pre-regression behavior):src/docker-manager.test.ts: Flip the expectation —GITHUB_API_URLshould be present even when api-proxy is enabled, alongsideCOPILOT_API_URL.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/github/gh-aw-firewall/actions/jobs/68429069221/usr/bin/gh gh run view 23510263213 --log --job 68429069221(http block)https://api.github.com/repos/github/gh-aw-firewall/actions/runs/23510263213/artifacts/usr/bin/gh gh run download 23510263213 --name agent-artifacts --dir /tmp/agent-artifacts-run(http block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.