Skip to content

[awf] api-proxy/Copilot: BYOK COPILOT_PROVIDER_API_KEY never used; adapter falls back to COPILOT_GITHUB_TOKEN #4040

Description

@lpcox

Problem

When a workflow sets engine: copilot with BYOK vars (COPILOT_PROVIDER_BASE_URL + COPILOT_PROVIDER_API_KEY), the AWF api-proxy Copilot adapter ignores the injected dummy COPILOT_API_KEY (per #3322) and falls back to COPILOT_GITHUB_TOKEN — never consulting COPILOT_PROVIDER_API_KEY. Result: HTTP 503 (if token suppressed) or HTTP 401 (GitHub identity token forwarded to external provider).

Context

Original issue: github/gh-aw#35575

Root Cause

In containers/api-proxy/, the Copilot adapter auth resolution does not check for COPILOT_PROVIDER_API_KEY. When COPILOT_API_KEY is the dummy BYOK sentinel, the adapter should fall through to COPILOT_PROVIDER_API_KEY before trying COPILOT_GITHUB_TOKEN.

Proposed Solution

In the Copilot adapter auth logic (containers/api-proxy/), after determining COPILOT_API_KEY is the dummy sentinel, check COPILOT_PROVIDER_API_KEY and use it as the Authorization: Bearer for the upstream request. Only fall back to COPILOT_GITHUB_TOKEN when COPILOT_PROVIDER_API_KEY is also absent. Add a test asserting BYOK key priority order.

Generated by Firewall Issue Dispatcher · sonnet46 2M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions