Problem
When a workflow sets engine: copilot with BYOK vars (COPILOT_PROVIDER_BASE_URL + COPILOT_PROVIDER_API_KEY), the AWF api-proxy Copilot adapter ignores the injected dummy COPILOT_API_KEY (per #3322) and falls back to COPILOT_GITHUB_TOKEN — never consulting COPILOT_PROVIDER_API_KEY. Result: HTTP 503 (if token suppressed) or HTTP 401 (GitHub identity token forwarded to external provider).
Context
Original issue: github/gh-aw#35575
Root Cause
In containers/api-proxy/, the Copilot adapter auth resolution does not check for COPILOT_PROVIDER_API_KEY. When COPILOT_API_KEY is the dummy BYOK sentinel, the adapter should fall through to COPILOT_PROVIDER_API_KEY before trying COPILOT_GITHUB_TOKEN.
Proposed Solution
In the Copilot adapter auth logic (containers/api-proxy/), after determining COPILOT_API_KEY is the dummy sentinel, check COPILOT_PROVIDER_API_KEY and use it as the Authorization: Bearer for the upstream request. Only fall back to COPILOT_GITHUB_TOKEN when COPILOT_PROVIDER_API_KEY is also absent. Add a test asserting BYOK key priority order.
Generated by Firewall Issue Dispatcher · sonnet46 2M · ◷
Problem
When a workflow sets
engine: copilotwith BYOK vars (COPILOT_PROVIDER_BASE_URL+COPILOT_PROVIDER_API_KEY), the AWF api-proxy Copilot adapter ignores the injected dummyCOPILOT_API_KEY(per #3322) and falls back toCOPILOT_GITHUB_TOKEN— never consultingCOPILOT_PROVIDER_API_KEY. Result: HTTP 503 (if token suppressed) or HTTP 401 (GitHub identity token forwarded to external provider).Context
Original issue: github/gh-aw#35575
Root Cause
In
containers/api-proxy/, the Copilot adapter auth resolution does not check forCOPILOT_PROVIDER_API_KEY. WhenCOPILOT_API_KEYis the dummy BYOK sentinel, the adapter should fall through toCOPILOT_PROVIDER_API_KEYbefore tryingCOPILOT_GITHUB_TOKEN.Proposed Solution
In the Copilot adapter auth logic (
containers/api-proxy/), after determiningCOPILOT_API_KEYis the dummy sentinel, checkCOPILOT_PROVIDER_API_KEYand use it as theAuthorization: Bearerfor the upstream request. Only fall back toCOPILOT_GITHUB_TOKENwhenCOPILOT_PROVIDER_API_KEYis also absent. Add a test asserting BYOK key priority order.