Skip to content

Fix Claude engine routing for model-provider: github#46013

Open
pelikhan with Copilot wants to merge 15 commits into
mainfrom
copilot/fix-claude-configuration
Open

Fix Claude engine routing for model-provider: github#46013
pelikhan with Copilot wants to merge 15 commits into
mainfrom
copilot/fix-claude-configuration

Conversation

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

When model-provider: github is set on the Claude engine, the AWF anthropic proxy sidecar was still targeting api.anthropic.com — causing 401s because it was receiving a Copilot token. The harness resolves its endpoint from /reflect data and falls back to the only configured sidecar (anthropic, port 10001), bypassing the intended GitHub routing.

Changes

  • awf_config.go — When Claude engine uses model-provider: github and no explicit ANTHROPIC_BASE_URL is set, auto-configure the anthropic proxy target:

    "targets": { "anthropic": { "host": "api.githubcopilot.com", "authHeader": "Authorization" } }

    Switches from the default x-api-key header to Authorization to match Copilot API auth.

  • domains.go — Add api.githubcopilot.com to ClaudeDefaultDomains so the firewall permits the outbound connection.

  • compiler_validators.go — Emit an experimental feature warning when model-provider is overridden to a non-anthropic value on the Claude engine.


Generated by 👨‍🍳 PR Sous Chef · 26.2 AIC · ⌖ 8.22 AIC · ⊞ 7.5K ·
Comment /souschef to run again

…t.com, add domain, mark experimental

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Fix Claude engine configuration for GitHub provider Fix Claude engine routing for model-provider: github Jul 16, 2026
Copilot AI requested a review from pelikhan July 16, 2026 14:25
@pelikhan
pelikhan marked this pull request as ready for review July 16, 2026 14:28
Copilot AI review requested due to automatic review settings July 16, 2026 14:28
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #46013 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-claude-on-copilot

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates gh-aw’s AWF (firewall) configuration generation so that when the Claude engine is configured with model-provider: github, the Anthropic proxy sidecar routes to GitHub Copilot’s inference endpoint (and the firewall allows the required outbound domain), preventing auth failures caused by sending Copilot tokens to api.anthropic.com.

Changes:

  • Auto-configure the AWF API proxy “anthropic” target to api.githubcopilot.com with Authorization header when Claude uses the GitHub provider (unless ANTHROPIC_BASE_URL is explicitly set).
  • Permit api.githubcopilot.com for Claude by adding it to default domain allowlists, and regenerate affected lock/golden artifacts.
  • Emit an experimental-feature warning when engine.model-provider is overridden to non-Anthropic on the Claude engine.
Show a summary per file
File Description
pkg/workflow/awf_config.go Adds conditional AWF target override for Claude+GitHub provider routing.
pkg/workflow/awf_config_test.go Adds tests covering the new Claude+GitHub provider AWF target behavior and precedence rules.
pkg/workflow/domains.go Adds api.githubcopilot.com to Claude default firewall domains.
pkg/workflow/compiler_validators.go Adds an experimental warning when Claude’s model-provider is set to a non-Anthropic value.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Updates golden output to reflect the new allowed domain.
.github/workflows/typist.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/skillet.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists (also updates header/manifest content).
.github/workflows/release.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists (also updates header/manifest content).
.github/workflows/github-mcp-tools-report.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/example-workflow-analyzer.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/detection-analysis-report.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/daily-token-consumption-report.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/daily-reliability-review.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/daily-choice-test.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/copilot-agent-analysis.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/ci-doctor.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/audit-workflows.lock.yml Regenerated lock to include api.githubcopilot.com in allowlists.
.github/workflows/agentic-auto-upgrade.yml Updates the scheduled cron time for the auto-upgrade workflow.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 39/69 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread .github/workflows/agentic-auto-upgrade.yml
Comment thread .github/workflows/skillet.lock.yml Outdated
Comment thread .github/workflows/release.lock.yml
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude on Copilot failed. Please review the logs for details.

@github-actions github-actions Bot mentioned this pull request Jul 16, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is well-targeted and correctly handles the Claude + model-provider: github routing bug.

Summary

  • awf_config.go: When the Claude engine uses model-provider: github and no explicit ANTHROPIC_BASE_URL is set, auto-configures the anthropic sidecar to route to api.githubcopilot.com with an Authorization header.
  • compiler_validators.go: Emits an experimental-feature warning for claude engine.model-provider when a non-Anthropic provider is used.
  • domains.go: Adds api.githubcopilot.com to ClaudeDefaultDomains so the firewall allowlist includes the endpoint.
  • Tests: Both new test cases cover the happy path and the explicit-override precedence correctly.
  • Lock/golden files: Regenerated consistently.

Minor observation

api.githubcopilot.com is added to ClaudeDefaultDomains, meaning it is allowed for all Claude workflows even when model-provider is anthropic. This is a safe over-allowance (GitHub-owned domain), but could be tightened in a follow-up by conditionally injecting the domain only when the GitHub provider is active.

No blocking issues found.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 42 AIC · ⌖ 6.79 AIC · ⊞ 5K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠\n\nApplied /diagnosing-bugs and /tdd — one minor gap noted, no blocking issues.\n\n
\n📋 Summary\n\n#### Positive Highlights\n\n- ✅ Root cause properly addressed: the else if guard correctly short-circuits when an explicit ANTHROPIC_BASE_URL is set, preserving user overrides.\n- ✅ Two targeted regression tests added (awf_config_test.go): one for the happy path and one for the explicit-override precedence case.\n- ✅ api.githubcopilot.com added to ClaudeDefaultDomains so the firewall allows the new sidecar route without extra user config.\n- ✅ Experimental-feature warning emitted for non-default providers on the Claude engine — good discoverability.\n- ✅ Comment in awf_config.go explains why Authorization replaces x-api-key; that context is easy to lose.\n\n#### One Gap\n\nThe new experimental-feature warning in compiler_validators.go:326 has no test in compiler_validators_test.go. Every other flag in that slice is covered; this one should be too. See inline comment.\n\n

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 49.7 AIC · ⌖ 4.48 AIC · ⊞ 6.7K
Comment /matt to run again

Comment thread pkg/workflow/compiler_validators.go
@github-actions

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 75/100 — Acceptable

Analyzed 2 new test(s): 2 design tests, 0 implementation tests, 0 violation(s).

📊 Metrics (2 tests)
Metric Value
Analyzed 2 (Go: 2, JS: 0)
✅ Design 2 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 1 (50%)
Duplicate clusters 0
Inflation Yes (4:1 ratio)
🚨 Violations 0
Test File Classification Issues
claude github provider routes anthropic sidecar to api.githubcopilot.com awf_config_test.go design_test (behavioral contract) None — happy path verified
claude github provider does not override explicit ANTHROPIC_BASE_URL awf_config_test.go design_test (behavioral contract) None — precedence edge case verified

Analysis Summary

✅ Strengths:

  • Both tests validate critical behavioral contracts around engine routing and precedence
  • Proper build tag present (//go:build !integration)
  • All 5 assertions have descriptive failure messages
  • Test 2 covers important edge case: explicit env vars override defaults
  • No mocking violations or forbidden patterns

⚠️ Notes:

  • Test inflation ratio: 48 test lines / 12 production lines = 4:1 (exceeds 2:1 threshold)
  • While the ratio is high, it's justified by comprehensive coverage of a critical auth pathway
  • Both tests validate user-visible behavior (routing configuration)

Verdict

Tests passed review. 0% implementation tests (threshold: 30%). No guideline violations. Design coverage is strong for this critical configuration change.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 15.9 AIC · ⌖ 10.3 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 75/100. 0% implementation tests (threshold: 30%). All tests validate behavioral contracts with proper build tags and assertions.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Routing logic is correct and tests cover the key scenarios well. One minor observation below.

🔎 Code quality review by PR Code Quality Reviewer · 81.9 AIC · ⌖ 4.25 AIC · ⊞ 5.6K
Comment /review to run again

@pelikhan

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 16, 2026 15:03
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… not anthropic

When model-provider: github is set on the Claude engine, AWF should configure the
copilot provider (port 10002) to forward to api.githubcopilot.com. The driver already
sets ANTHROPIC_BASE_URL to http://host.docker.internal:10002 (copilot proxy port), and
the harness resolves the endpoint from /reflect — which now correctly maps
provider=github → copilot → http://api-proxy:10002 instead of falling back to
the only-configured anthropic proxy.

Previously the anthropic sidecar (port 10001) was configured to target
api.githubcopilot.com, but the harness was sending all traffic there via the
copilot proxy port anyway, making that configuration wrong. The fix ensures
the copilot proxy is marked as configured in AWF so /reflect correctly routes
the claude harness to the copilot endpoint.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address the unresolved review feedback below, investigate the failed smoke run, and rerun checks once the branch is up to date.

Unresolved review threads:

Failed checks:

Generated by 👨🍳 PR Sous Chef
Comment /souschef to run again

Generated by 👨‍🍳 PR Sous Chef · 26.2 AIC · ⌖ 8.22 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…epo slug detection

- compile_orchestrator.go: isLocalhostOrigin() skips GHES mode for localhost:PORT
  origins (CI agent proxies), preventing SkipHardcodedFallback from being set and
  restoring # v7.0.0 version annotations in lock files
- git.go: fall back to GITHUB_REPOSITORY env var when git remote URL cannot be parsed
  as a GitHub host, fixing schedule scattering for agentic-auto-upgrade.yml in agent envs
- compile_orchestrator_host_test.go: add test for localhost remote not treated as GHES

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address the unresolved review feedback below, and rerun checks once the branch is ready.

Unresolved review threads:...

All three threads were already replied to in earlier commits. To summarize the current state:

  • agentic-auto-upgrade.yml schedule (r3596372593): The root cause was that the agent environment uses a localhost:PORT git remote, which caused getRepositorySlugFromDirPreferringUpstream to return "" → wrong scatter seed → wrong cron. Fixed in the latest commit by falling back to GITHUB_REPOSITORY env var when the remote URL can't be parsed as a GitHub host. Schedule is now consistently "11 4 * * 6" (correct for github/gh-aw).

  • release.lock.yml / skillet.lock.yml SHA version comments (r3596372676, r3596372641): Same root cause — localhost:PORT origin triggered GHES mode (SkipHardcodedFallback=true), causing # v7.0.0 to degrade to raw SHA comments on recompile. Fixed by isLocalhostOrigin() in compile_orchestrator.go — localhost remotes are no longer treated as GHES. All lock files now produce # v7.0.0 annotations consistently.

  • Test coverage for claude engine.model-provider warning (r3596399223): TestEmitExperimentalFeatureWarningsClaudeModelProvider with 5 subtests was added in commit 5386d39.

make agent-report-progress (check-stale-lock-files + build + fmt + lint + test-unit + check-workflow-drift) passes. One pre-existing test failure (TestCloseExistingOrgIssuesByMarkerSkipsPRsAndPaginates) is unrelated to this PR — it expects --hostname github.com but gets --hostname localhost:PORT in the agent environment.

CI re-trigger needed to verify the smoke test passes on HEAD.

@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-claude-on-copilot

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude on Copilot failed. Please review the logs for details.

… remotes

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, resolve the remaining unresolved review threads listed below, and rerun the smoke/check workflows on the current HEAD once the branch is ready.

Unresolved...

All items addressed. Summary of what was done in this pass:

Review threads (all have been replied to; reviewers can now resolve):

  • r3596372593 (auto-upgrade schedule): Outdated — schedule is "11 4 * * 6" since 5386d39. Root cause fixed in e840a97.
  • r3596372676 (release.lock.yml version comments): Outdated — # v7.0.0 annotations restored since 5386d39. Root cause fixed in e840a97.
  • r3596399223 (test coverage): TestEmitExperimentalFeatureWarningsClaudeModelProvider with 5 subtests added in 5386d39, all passing.

Additional fix in this pass:

  • getHostFromOriginRemote() now falls back to github.com for localhost remotes (same pattern as isLocalhostOrigin() used elsewhere), fixing the pre-existing TestCloseExistingOrgIssuesByMarkerSkipsPRsAndPaginates failure that was blocking make agent-report-progress.

Local validation: make fmt ✅, make lint ✅, make test-unit ✅, make agent-report-progress

CI re-trigger needed from a maintainer to verify the smoke test on HEAD.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot review and figure out the failure in https://github.com/github/gh-aw/actions/runs/29526411109

…c proxy (port 10001)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-claude-on-copilot

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any unresolved review feedback, investigate the failed checks listed on this PR if applicable, and rerun checks once the branch is ready.

Generated by 👨‍🍳 PR Sous Chef · 8.18 AIC · ⌖ 7.29 AIC · ⊞ 7.5K ·
Comment /souschef to run again

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude on Copilot failed. Please review the logs for details.

… used instead of PAT

api.githubcopilot.com rejects Personal Access Tokens (COPILOT_GITHUB_TOKEN) with
"400 Personal Access Tokens are not supported for this endpoint". Adding the
copilot-requests: write permission causes llmProviderSecretExpression to return
github.token instead, which is accepted by the Copilot API endpoint.

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address any unresolved review feedback, investigate the failed checks listed on this PR if applicable, and rerun checks once the branch is ready.

...

Investigated the latest smoke failure (run 29536903527) and fixed it in the latest commit.

Root cause: The smoke workflow lacked copilot-requests: write permission, so llmProviderSecretExpression returned ${{ secrets.COPILOT_GITHUB_TOKEN }} (a PAT) as ANTHROPIC_API_KEY. The AWF anthropic proxy at port 10001 (configured to target api.githubcopilot.com with Authorization header) forwarded this PAT, which the endpoint rejected: 400 checking third-party user token: Personal Access Tokens are not supported for this endpoint.

Fix: Added copilot-requests: write to the smoke workflow's permissions. Now llmProviderSecretExpression returns ${{ github.token }} which is accepted by api.githubcopilot.com.

Local validation: make agent-report-progress passes (0 errors, lock files in sync).

Still needed: CI re-trigger by a maintainer to verify the smoke test passes on HEAD.

All three unresolved review threads are outdated (addressed in earlier commits — 5386d39 and e840a97); reviewers can resolve them.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, resolve the remaining unresolved review threads, investigate the failed checks listed below, and rerun checks once the branch is ready.

Unresolved review threads:

Failed checks:

The threads already have author follow-up replies; please verify the current HEAD, resolve any stale review state, and get the smoke run green.

Generated by PR Sous Chef: https://github.com/github/gh-aw/actions/runs/29560675416

Generated by 👨‍🍳 PR Sous Chef · 7.25 AIC · ⌖ 6.05 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, resolve the remaining unresolved review threads, investigate the failed checks listed below, and rerun checks once the branch is ready.

Unresolved review ...

All review threads are now resolved (verified via the GitHub API).

Current state of the failing check: Run 29536903527 failed on SHA 7becc9f with 400 Personal Access Tokens are not supported for this endpoint. The fix (commit e7af2f2) adds copilot-requests: write to the smoke workflow's permissions so llmProviderSecretExpression returns ${{ github.token }} (accepted by api.githubcopilot.com) instead of ${{ secrets.COPILOT_GITHUB_TOKEN }} (a PAT, rejected). No new smoke run has been triggered on HEAD yet.

Local validation: make agent-report-progress passes — 0 errors, all lock files in sync.

Still needed: A maintainer needs to re-trigger /smoke-claude-on-copilot on the current HEAD to confirm the fix before merge.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category bug
Risk high
Score 72/100 (impact:35, urgency:22, quality:15)
Action fast_track

Rationale: Claude engine routing fix for model-provider:github — prevents 401s caused by anthropic sidecar targeting api.anthropic.com with a Copilot token. CI copilot check passing. GHA approved multiple times. High impact correctness fix — expedite.

Generated by 🔧 PR Triage Agent · 166.4 AIC · ⌖ 6.15 AIC · ⊞ 5.6K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants