feat(proxy): make copilot api target configurable for enterprise envi…#1063
feat(proxy): make copilot api target configurable for enterprise envi…#1063
Conversation
…ronments Auto-derive api.enterprise.githubcopilot.com from GITHUB_SERVER_URL when the server is not github.com (GHEC/GHES). Allow explicit override via COPILOT_API_TARGET env var or --copilot-api-target CLI flag. Forward GITHUB_SERVER_URL and GITHUB_API_URL to both agent and api-proxy containers by default.
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 82.08% | 82.16% | 📈 +0.08% |
| Statements | 82.03% | 82.13% | 📈 +0.10% |
| Functions | 82.91% | 82.91% | ➡️ +0.00% |
| Branches | 74.73% | 74.46% | 📉 -0.27% |
📁 Per-file Coverage Changes (1 files)
| File | Lines (Before → After) | Statements (Before → After) |
|---|---|---|
src/docker-manager.ts |
83.4% → 83.7% (+0.31%) | 82.6% → 83.0% (+0.37%) |
Coverage comparison generated by scripts/ci/compare-coverage.ts
C++ Build Test Results
Overall: PASS ✅
|
Deno Build Test Results
Overall: ✅ PASS
|
Bun Build Test Results
Overall: PASS ✅ Tested with Bun v1.3.10
|
Node.js Build Test Results
Overall: ✅ PASS
|
Go Build Test Results ✅
Overall: PASS
|
.NET Build Test Results
Overall: PASS ✅ Run outputhello-world: json-parse:
|
|
🤖 Smoke test results for ✅ GitHub MCP — Last 2 merged PRs: #1056 "refactor: remove --allow-full-filesystem-access flag", #1055 "feat: add API proxy port 10004 for OpenCode engine" Overall: PASS
|
Smoke Test ResultsLast 2 merged PRs:
Overall: PASS
|
Rust Build Test Results
Overall: PASS ✅
|
There was a problem hiding this comment.
Pull request overview
Adds enterprise-friendly configuration for GitHub Copilot API routing when using the api-proxy sidecar, including automatic enterprise target selection and explicit overrides.
Changes:
- Introduces
copilotApiTargetconfig surface (CLI + env + WrapperConfig) for selecting the Copilot upstream host. - Updates api-proxy sidecar to auto-derive an enterprise Copilot target from
GITHUB_SERVER_URLwhen applicable. - Forwards GitHub enterprise environment variables into the agent (and partially into the api-proxy).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/types.ts | Adds copilotApiTarget to WrapperConfig with documentation. |
| src/docker-manager.ts | Forwards GITHUB_SERVER_URL/GITHUB_API_URL to agent env; passes COPILOT_API_TARGET and GITHUB_SERVER_URL into api-proxy env. |
| src/cli.ts | Adds --copilot-api-target flag and wires it into config creation. |
| containers/api-proxy/server.js | Implements Copilot target derivation and uses it for upstream proxying. |
| containers/api-proxy/README.md | Documents COPILOT_API_TARGET for the sidecar. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ' Defaults to api.githubcopilot.com. Useful for GHES deployments.\n' + | ||
| ' Can also be set via COPILOT_API_TARGET env var.', |
There was a problem hiding this comment.
CLI help text says the target "Defaults to api.githubcopilot.com", but the sidecar now auto-derives api.enterprise.githubcopilot.com when GITHUB_SERVER_URL is set to a non-github.com host. Please adjust the help text to avoid advertising an unconditional default (e.g., mention the enterprise auto-derive behavior and that the flag/env var overrides it).
| ' Defaults to api.githubcopilot.com. Useful for GHES deployments.\n' + | |
| ' Can also be set via COPILOT_API_TARGET env var.', | |
| ' Defaults to api.githubcopilot.com for GitHub.com.\n' + | |
| ' When GITHUB_SERVER_URL is set to a non-github.com host, defaults to api.enterprise.githubcopilot.com.\n' + | |
| ' This flag or the COPILOT_API_TARGET env var override the default.', |
| // Configurable Copilot API target (for GHES/GHEC support) | ||
| ...(config.copilotApiTarget && { COPILOT_API_TARGET: config.copilotApiTarget }), | ||
| // Forward GITHUB_SERVER_URL so api-proxy can auto-derive enterprise endpoints | ||
| ...(process.env.GITHUB_SERVER_URL && { GITHUB_SERVER_URL: process.env.GITHUB_SERVER_URL }), | ||
| // Route through Squid to respect domain whitelisting |
There was a problem hiding this comment.
The api-proxy container is now deriving the Copilot target from GITHUB_SERVER_URL, but docker-compose only forwards GITHUB_SERVER_URL (not GITHUB_API_URL) into the api-proxy service. This differs from the PR description (“Forward GITHUB_SERVER_URL and GITHUB_API_URL to both agent and api-proxy containers by default”). Either forward GITHUB_API_URL as well, or update the PR description/docs to match what the proxy actually needs.
| if (process.env.COPILOT_API_TARGET) { | ||
| return process.env.COPILOT_API_TARGET; |
There was a problem hiding this comment.
COPILOT_API_TARGET is used as a hostname in both new URL(req.url, \https://${targetHost}`)andhttps.request({ hostname: targetHost }), but deriveCopilotApiTarget()returns the env var verbatim. If a user supplies a full URL (e.g.,https://api.githubcopilot.com`) or includes a path/port/whitespace, requests can fail at runtime. Consider validating/normalizing this value (trim, reject / and scheme, or accept full URLs by parsing and extracting hostname).
| if (process.env.COPILOT_API_TARGET) { | |
| return process.env.COPILOT_API_TARGET; | |
| const envTarget = process.env.COPILOT_API_TARGET; | |
| if (envTarget) { | |
| const trimmed = envTarget.trim(); | |
| if (trimmed) { | |
| // If a full URL is provided (e.g., https://api.githubcopilot.com), | |
| // parse it and extract the hostname so it can be safely used in | |
| // https.request({ hostname }) and as a URL base. | |
| if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) { | |
| try { | |
| const url = new URL(trimmed); | |
| if (url.hostname) { | |
| return url.hostname; | |
| } | |
| } catch { | |
| // Invalid URL — fall through to serverUrl/default handling below. | |
| } | |
| } else { | |
| // Treat as a bare hostname. Reject obviously invalid forms that would | |
| // break https.request/new URL usage (paths or whitespace). | |
| if (!/[\/\s]/.test(trimmed)) { | |
| return trimmed; | |
| } | |
| // If invalid, fall through to serverUrl/default handling. | |
| } | |
| } |
| // Configurable Copilot API target host (supports GHES/GHEC / custom endpoints) | ||
| // Priority: COPILOT_API_TARGET env var > auto-derive from GITHUB_SERVER_URL > default | ||
| function deriveCopilotApiTarget() { | ||
| if (process.env.COPILOT_API_TARGET) { | ||
| return process.env.COPILOT_API_TARGET; |
There was a problem hiding this comment.
Please add test coverage for the new Copilot target selection logic: (1) COPILOT_API_TARGET override wins, and (2) non-github.com GITHUB_SERVER_URL causes the enterprise target to be used. Without a test, regressions here are easy to miss.
| - `ANTHROPIC_API_KEY` - Anthropic API key for authentication | ||
|
|
||
| Optional: | ||
| - `COPILOT_API_TARGET` - Target hostname for GitHub Copilot API requests (default: `api.githubcopilot.com`). Useful for GHES deployments. |
There was a problem hiding this comment.
README says the default target is always api.githubcopilot.com, but the proxy now auto-derives api.enterprise.githubcopilot.com when GITHUB_SERVER_URL is set to a non-github.com host. Please update this description to match the implemented precedence (explicit COPILOT_API_TARGET > derived from GITHUB_SERVER_URL > public default).
| - `COPILOT_API_TARGET` - Target hostname for GitHub Copilot API requests (default: `api.githubcopilot.com`). Useful for GHES deployments. | |
| - `COPILOT_API_TARGET` - Target hostname for GitHub Copilot API requests. If set, this value takes precedence. If unset and `GITHUB_SERVER_URL` points to a non-github.com host (e.g., GHES), the proxy will auto-derive `api.enterprise.githubcopilot.com`. Otherwise, the default is `api.githubcopilot.com`. Useful for GHES deployments. |
| * - CLI flag: `--copilot-api-target <host>` | ||
| * - Environment variable: `COPILOT_API_TARGET` | ||
| * | ||
| * @default 'api.githubcopilot.com' | ||
| * @example |
There was a problem hiding this comment.
The @default 'api.githubcopilot.com' claim isn’t always true anymore: the sidecar now auto-derives api.enterprise.githubcopilot.com when GITHUB_SERVER_URL is non-github.com. Please update the @default / description to reflect the actual precedence (explicit target > derived enterprise target > public default).
|
PRs: feat(proxy): add observability and rate limiting to API proxy; refactor: remove --allow-full-filesystem-access flag
|
|
@copilot take a look at this gh-aw compiler and see if it will pass the right environment variables to awf |
Chroot Version Comparison Results
Overall: ❌ Tests did not pass — Python and Node.js versions differ between host and chroot environment.
|
Java Build Test Results
Overall: PASS ✅
|
…ronments
Auto-derive api.enterprise.githubcopilot.com from GITHUB_SERVER_URL when the server is not github.com (GHEC/GHES). Allow explicit override via COPILOT_API_TARGET env var or --copilot-api-target CLI flag. Forward GITHUB_SERVER_URL and GITHUB_API_URL to both agent and api-proxy containers by default.