refactor: consolidate env-var forwarding in docker-manager.ts into typed arrays + loops#2434
Conversation
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
Refactors generateDockerCompose()’s default environment-variable passthrough logic in docker-manager.ts to reduce scattered conditional forwarding and make the “don’t leak API keys when api-proxy is enabled” boundary more structurally obvious.
Changes:
- Consolidates non-secret passthrough vars (GitHub auth, user env, enterprise URLs, Actions OIDC, Docker client env) into a single
alwaysForwardVarsas constlist and loop. - Groups provider API key passthrough under a single
if (!config.enableApiProxy)guard with a dedicated loop. - Keeps
TERMpassthrough as a standalone special case behind!config.tty.
Show a summary per file
| File | Description |
|---|---|
| src/docker-manager.ts | Consolidates env-var forwarding into typed arrays + loops while preserving api-proxy credential isolation behavior. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
|
Smoke Test Results ✅ GitHub MCP: #2417, #2409 Status: PASS
|
🔥 Smoke Test Results
PR: refactor: consolidate env-var forwarding in docker-manager.ts into typed arrays + loops Overall: PARTIAL — MCP ✅, other checks indeterminate due to missing pre-step outputs.
|
Smoke Test: Copilot BYOK (Offline) Mode
Running in BYOK offline mode ( Author: Overall: PARTIAL PASS — BYOK inference and MCP work; pre-step smoke data (
|
Chroot Smoke Test Results
Result: ❌ Not all runtimes match — Python and Node.js versions differ between host and chroot.
|
|
Merged PR titles: feat: add 4 agentic code quality workflows; refactor(api-proxy): extract ProviderAdapter abstraction, make core provider-agnostic Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Smoke Test Results
Overall: FAIL — service containers are not reachable from this environment via
|
15 individual
if-guard lines for env-var passthrough were inconsistent with the existing loop pattern used for Docker client vars, and made the!config.enableApiProxycredential-isolation boundary easy to violate when adding new API-key vars.Changes
alwaysForwardVarsarray + single loop — merges GitHub auth tokens, user env, enterprise/Actions URLs, and the previously separatedockerClientEnvVarsarray into one typedas constarray iterated by a single loop!config.enableApiProxyguard —OPENAI_API_KEY,CODEX_API_KEY,ANTHROPIC_API_KEY,COPILOT_GITHUB_TOKEN,COPILOT_API_KEYgrouped explicitly so the credential-isolation boundary is structurally visibleTERMkept as a standalone special case — retains its distinct!config.ttyguard