Skip to content

Deduplicate provider auth header construction across runtime, validation, and model fetch paths#5836

Merged
lpcox merged 2 commits into
mainfrom
copilot/refactor-auth-header-construction
Jul 3, 2026
Merged

Deduplicate provider auth header construction across runtime, validation, and model fetch paths#5836
lpcox merged 2 commits into
mainfrom
copilot/refactor-auth-header-construction

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Provider adapters were rebuilding security-sensitive auth headers in separate code paths (request forwarding, startup validation, and model fetch), creating drift risk between OIDC and static-key behavior. This change centralizes header construction per provider and reuses the same factories across those paths.

  • Anthropic: unify OIDC/static auth header building

    • Added shared local builders for:
      • OIDC bearer headers
      • static-key headers
      • fallback resolution used by validation + model fetch
    • Rewired runtime getAuthHeaders to reuse the same builders instead of rebuilding inline.
    • Preserved provider-specific additions (anthropic-version, content-type, anthropic-beta behavior) unchanged.
  • OpenAI: collapse duplicated token/static header factories

    • Introduced a single token header factory (buildTokenAuthHeaders) used for both static-key and OIDC token shapes.
    • Reused a single static header factory for validationHeaders, modelsFetchHeaders, and runtime fallback.
    • Kept custom header behavior (AWF_OPENAI_AUTH_HEADER) and ****** intact.
  • Gemini: single header factory for all paths

    • Extracted buildAuthHeaders() and reused it in runtime auth, validation headers, and model fetch headers.
    • Eliminated repeated x-goog-api-key literals without changing behavior.

Example of the new shared-pattern direction:

const buildAuthHeaders = () => ({ 'x-goog-api-key': apiKey });

validationHeaders: buildAuthHeaders,
modelsFetchHeaders: buildAuthHeaders,
getAuthHeaders() {
  return buildAuthHeaders();
}

Copilot AI changed the title [WIP] Refactor duplicate auth header construction in provider adapters Deduplicate provider auth header construction across runtime, validation, and model fetch paths Jul 2, 2026
Copilot finished work on behalf of lpcox July 2, 2026 23:43
Copilot AI requested a review from lpcox July 2, 2026 23:43
@lpcox lpcox marked this pull request as ready for review July 3, 2026 01:41
Copilot AI review requested due to automatic review settings July 3, 2026 01:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces drift risk in security-sensitive provider authentication by centralizing and reusing auth header construction across runtime forwarding, startup validation, and model-fetch paths for the API proxy providers.

Changes:

  • OpenAI: Introduces a shared token/static header builder and reuses it for validation, models fetch, and runtime fallback selection (including AWF_OPENAI_AUTH_HEADER behavior).
  • Gemini: Extracts a single buildAuthHeaders() factory and reuses it across validation, models fetch, and runtime auth headers.
  • Anthropic: Factors OIDC/static header builders and a shared “resolve with fallback” helper to keep validation/model fetch aligned with runtime behavior.
Show a summary per file
File Description
containers/api-proxy/providers/openai.js Deduplicates token/static auth header construction and reuses the same factories across validation, model fetch, and runtime auth.
containers/api-proxy/providers/gemini.js Extracts a single Gemini header factory and reuses it across all adapter paths.
containers/api-proxy/providers/anthropic.js Centralizes OIDC/static header building and shared fallback resolution for validation/models while preserving request-time Anthropic header additions.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5836 appears to follow the applicable contribution guidelines based on the prefetched metadata, diff, and CONTRIBUTING.md. The changes are a refactor with clear description, appropriate file placement under containers/, and no new user-facing functionality requiring documentation or tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.62% 98.66% 📈 +0.04%
Statements 98.51% 98.55% 📈 +0.04%
Functions 99.56% 99.56% ➡️ +0.00%
Branches 94.42% 94.42% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.0% → 94.8% (+1.74%) 93.0% → 94.8% (+1.74%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions github-actions Bot mentioned this pull request Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode - PASS

✅ GitHub.com connectivity (HTTP 200)
✅ File I/O operations
✅ Direct BYOK inference active via api-proxy → api.githubcopilot.com

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5836 · 35.6 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Status
GitHub MCP Connectivity
GitHub.com HTTP ✅ (200)
File Write/Read ⚠️ (template vars unresolved in workflow)

Overall: PASS

PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP
File write/read

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode — Azure OpenAI (Foundry, api-key)

✅ MCP connectivity
✅ GitHub.com connectivity
✅ File I/O
✅ BYOK inference

Overall: PASS
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results (Gemini)

  • GitHub MCP Testing: ❌ (Unable to list PRs)
  • GitHub.com Connectivity: ❌ (Status 000)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Details
Module Loading otel.js loads successfully; exports 13 functions including startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
Test Suite 59 tests passed, 0 failed across 2 suites (otel.test.js, otel-fanout.test.js)
Env Var Forwarding src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration onUsage callback exists in token-tracker-http.js (lines 283, 324) as the OTEL hook point
OTEL Diagnostics No live spans exported (no OTLP endpoint configured); graceful degradation confirmed via FileSpanExporter fallback

Overall: All scenarios pass.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color passed ✅ PASS
Go env passed ✅ PASS
Go uuid passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): Maven's default ~/.m2/repository was owned by root (no runner write access). Used -Dmaven.repo.local=/tmp/gh-aw/agent/m2repo to override. All tests passed once the writable location was set.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5836 · 33.8 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox

✅ MCP connectivity
✅ GitHub.com connectivity
✅ File write/read test
✅ BYOK inference test

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

refactor(api-proxy): dedupe provider auth headers ✅
chore: upgrade gh-aw to v0.82.2 pre-release and recompile workflows ✅
fix: chmod squid logs inside container before compose down ✅
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@lpcox lpcox merged commit 1546719 into main Jul 3, 2026
86 of 90 checks passed
@lpcox lpcox deleted the copilot/refactor-auth-header-construction branch July 3, 2026 04:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment