Update agentic engine token handling to use user-provided secrets

[Copilot]

When a user provides engine.env in a workflow frontmatter, the agentic engine token expression is automatically overridden with the user-supplied secret — in both the execution step and the secret validation step.

Changes Made

• Gemini engine: Added maps.Copy(env, workflowData.EngineConfig.Env) and agent config env passthrough to gemini_engine.go's GetExecutionSteps, bringing it in line with the Copilot, Claude, and Codex engines (which already had this support).
• Secret validation step: Modified GenerateMultiSecretValidationStep to accept engine.env overrides. When a token key (e.g. COPILOT_GITHUB_TOKEN) is overridden via engine.env, the validation step validates the user-supplied secret expression instead of the default ${{ secrets.KEY }}.
• Tests — Gemini: Added tests verifying engine.env overrides GEMINI_API_KEY and passes through custom env vars.
• Tests — Copilot: Added TestCopilotEngineEnvOverridesTokenExpression verifying COPILOT_GITHUB_TOKEN can be overridden via engine.env.
• Tests — Claude: Added TestClaudeEngineEnvOverridesTokenExpression verifying ANTHROPIC_API_KEY can be overridden via engine.env.
• Tests — Codex: Added TestCodexEngineEnvOverridesTokenExpression verifying CODEX_API_KEY can be overridden via engine.env.
• Tests — Validation step: Added TestGenerateMultiSecretValidationStepWithEnvOverrides and TestValidationStepUsesEngineEnvOverride covering override behavior in the validation step for all 4 engines.

Example

engine:
  id: gemini  # or copilot, claude, codex
  env:
    GEMINI_API_KEY: ${{ secrets.MY_ORG_GEMINI_KEY }}

With this configuration, both the execution step and the secret validation step will use ${{ secrets.MY_ORG_GEMINI_KEY }} instead of the default ${{ secrets.GEMINI_API_KEY }}.

Testing

• ✅ make fmt passes with no changes
• ✅ All new and existing engine tests pass

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot add the same support for copilot, claude, codex

[pelikhan]

https://gh.io/copilot-coding-agent-docs add the same support for copilot, claude, codex

[pelikhan]

@copilot add the same support for copilot, claude, codex

[Copilot]

@copilot add the same support for copilot, claude, codex

Added tests verifying engine.env overrides the default token expression for Copilot (COPILOT_GITHUB_TOKEN), Claude (ANTHROPIC_API_KEY), and Codex (CODEX_API_KEY) in commit 65478c4. The code support already existed in all three engines — this commit adds test coverage to confirm and document that behavior.

[pelikhan]

@copilot make sure the override applies to the validation step: the overridden value is validated .

[Copilot]

@copilot make sure the override applies to the validation step: the overridden value is validated .

Done in commit 133f576. GenerateMultiSecretValidationStep now accepts an envOverrides map[string]string parameter. When a key in the validation step's env: section matches an engine.env override, the user-provided expression (e.g. ${{ secrets.MY_ORG_TOKEN }}) is used instead of the default ${{ secrets.KEY }}. All 4 engine callers (copilot, claude, codex, gemini) pass the engine.env overrides to the validation step.

[Copilot]

Pull request overview

Updates agentic engine secret/token handling so engine.env can override default token secret expressions consistently across execution steps and the install-time secret validation step.

Changes:

• Extend GenerateMultiSecretValidationStep to accept engine.env overrides and validate the overridden secret expression instead of the default ${{ secrets.KEY }}.
• Add engine.env passthrough (and agent config env passthrough) to Gemini execution steps for parity with other engines.
• Add/expand tests across engines and secret validation to cover token-expression overrides and custom env vars.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/agentic_engine.go	Adds envOverrides support to multi-secret validation env generation.
pkg/workflow/engine_helpers.go	Introduces helper to pass engine.env overrides into common install-step generation.
pkg/workflow/gemini_engine.go	Copies engine.env (and agent env) into Gemini execution env; passes overrides to validation step.
pkg/workflow/copilot_engine_installation.go	Passes engine.env overrides into Copilot’s secret validation step.
pkg/workflow/claude_engine.go	Passes engine.env overrides into Claude’s secret validation step.
pkg/workflow/secret_validation_test.go	Updates existing tests for new signature and adds override-focused validation tests.
pkg/workflow/gemini_engine_test.go	Adds tests verifying Gemini token override and custom env passthrough.
pkg/workflow/copilot_engine_test.go	Adds tests verifying Copilot token override and extra env vars.
pkg/workflow/claude_engine_test.go	Adds tests verifying Claude token override and extra env vars.
pkg/workflow/codex_engine_test.go	Adds tests verifying Codex token override and extra env vars.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment above the GEMINI model env var says it’s only set when explicitly configured and otherwise the CLI default is used. With the new engine.env passthrough (maps.Copy(env, workflowData.EngineConfig.Env)), users can now set/override GEMINI_MODEL via engine.env even when EngineConfig.Model is empty, so the comment is no longer accurate. Please update the comment to reflect the new precedence/behavior (e.g., EngineConfig.Model sets it when provided, but engine.env can also set/override it).