Update agentic engine token handling to use user-provided secrets#18017
Update agentic engine token handling to use user-provided secrets#18017
Conversation
…rovided in Gemini engine Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot add the same support for copilot, claude, codex |
|
https://gh.io/copilot-coding-agent-docs add the same support for copilot, claude, codex |
|
@copilot add the same support for copilot, claude, codex |
…dex engines Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Added tests verifying |
|
@copilot make sure the override applies to the validation step: the overridden value is validated . |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in commit 133f576. |
There was a problem hiding this comment.
Pull request overview
Updates agentic engine secret/token handling so engine.env can override default token secret expressions consistently across execution steps and the install-time secret validation step.
Changes:
- Extend
GenerateMultiSecretValidationStepto acceptengine.envoverrides and validate the overridden secret expression instead of the default${{ secrets.KEY }}. - Add
engine.envpassthrough (and agent config env passthrough) to Gemini execution steps for parity with other engines. - Add/expand tests across engines and secret validation to cover token-expression overrides and custom env vars.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/agentic_engine.go | Adds envOverrides support to multi-secret validation env generation. |
| pkg/workflow/engine_helpers.go | Introduces helper to pass engine.env overrides into common install-step generation. |
| pkg/workflow/gemini_engine.go | Copies engine.env (and agent env) into Gemini execution env; passes overrides to validation step. |
| pkg/workflow/copilot_engine_installation.go | Passes engine.env overrides into Copilot’s secret validation step. |
| pkg/workflow/claude_engine.go | Passes engine.env overrides into Claude’s secret validation step. |
| pkg/workflow/secret_validation_test.go | Updates existing tests for new signature and adds override-focused validation tests. |
| pkg/workflow/gemini_engine_test.go | Adds tests verifying Gemini token override and custom env passthrough. |
| pkg/workflow/copilot_engine_test.go | Adds tests verifying Copilot token override and extra env vars. |
| pkg/workflow/claude_engine_test.go | Adds tests verifying Claude token override and extra env vars. |
| pkg/workflow/codex_engine_test.go | Adds tests verifying Codex token override and extra env vars. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Set the model environment variable only when explicitly configured. | ||
| // When model is configured, use the native GEMINI_MODEL env var - the Gemini CLI reads it | ||
| // directly, avoiding the need to embed the value in the shell command (which would fail | ||
| // template injection validation for GitHub Actions expressions like ${{ inputs.model }}). | ||
| // When model is not configured, let the Gemini CLI use its built-in default model. | ||
| if modelConfigured { | ||
| geminiLog.Printf("Setting %s env var for model: %s", constants.GeminiCLIModelEnvVar, workflowData.EngineConfig.Model) | ||
| env[constants.GeminiCLIModelEnvVar] = workflowData.EngineConfig.Model | ||
| } | ||
|
|
||
| // Add custom environment variables from engine config. | ||
| // This allows users to override the default engine token expression (e.g. | ||
| // GEMINI_API_KEY: ${{ secrets.MY_ORG_GEMINI_KEY }}) via engine.env. | ||
| if workflowData.EngineConfig != nil && len(workflowData.EngineConfig.Env) > 0 { | ||
| maps.Copy(env, workflowData.EngineConfig.Env) | ||
| } |
There was a problem hiding this comment.
The comment above the GEMINI model env var says it’s only set when explicitly configured and otherwise the CLI default is used. With the new engine.env passthrough (maps.Copy(env, workflowData.EngineConfig.Env)), users can now set/override GEMINI_MODEL via engine.env even when EngineConfig.Model is empty, so the comment is no longer accurate. Please update the comment to reflect the new precedence/behavior (e.g., EngineConfig.Model sets it when provided, but engine.env can also set/override it).
When a user provides
engine.envin a workflow frontmatter, the agentic engine token expression is automatically overridden with the user-supplied secret — in both the execution step and the secret validation step.Changes Made
maps.Copy(env, workflowData.EngineConfig.Env)and agent config env passthrough togemini_engine.go'sGetExecutionSteps, bringing it in line with the Copilot, Claude, and Codex engines (which already had this support).GenerateMultiSecretValidationStepto acceptengine.envoverrides. When a token key (e.g.COPILOT_GITHUB_TOKEN) is overridden viaengine.env, the validation step validates the user-supplied secret expression instead of the default${{ secrets.KEY }}.engine.envoverridesGEMINI_API_KEYand passes through custom env vars.TestCopilotEngineEnvOverridesTokenExpressionverifyingCOPILOT_GITHUB_TOKENcan be overridden viaengine.env.TestClaudeEngineEnvOverridesTokenExpressionverifyingANTHROPIC_API_KEYcan be overridden viaengine.env.TestCodexEngineEnvOverridesTokenExpressionverifyingCODEX_API_KEYcan be overridden viaengine.env.TestGenerateMultiSecretValidationStepWithEnvOverridesandTestValidationStepUsesEngineEnvOverridecovering override behavior in the validation step for all 4 engines.Example
With this configuration, both the execution step and the secret validation step will use
${{ secrets.MY_ORG_GEMINI_KEY }}instead of the default${{ secrets.GEMINI_API_KEY }}.Testing
make fmtpasses with no changes💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.