fix: restore GITHUB_API_URL in agent container when api-proxy is enabled

[Copilot]

Commit 5a56789 incorrectly excluded GITHUB_API_URL from the agent container when --enable-api-proxy is active, causing the Copilot CLI to fail immediately with "Authentication failed". The Copilot CLI needs GITHUB_API_URL to locate the GitHub API; it already routes Copilot-specific calls (token exchange, inference) through COPILOT_API_URL → api-proxy regardless.

Evidence

Comparing the failing branch against a successful run (worktree-audit-observability):

	GITHUB_API_URL in container	Result
Successful run	✅ present	Authenticated, ran ~4.5 min
Failing runs (×3)	❌ excluded	Failed in 1.24s with "Authentication failed"

Changes

• src/docker-manager.ts: Remove EXCLUDED_ENV_VARS.add('GITHUB_API_URL') from the api-proxy block; make the GITHUB_API_URL forwarding unconditional (matches the working pre-regression behavior):

  - if (process.env.GITHUB_API_URL && !config.enableApiProxy) environment.GITHUB_API_URL = ...;
  + if (process.env.GITHUB_API_URL) environment.GITHUB_API_URL = ...;

• src/docker-manager.test.ts: Flip the expectation — GITHUB_API_URL should be present even when api-proxy is enabled, alongside COPILOT_API_URL.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw-firewall/actions/jobs/68429069221
  • Triggering command: /usr/bin/gh gh run view 23510263213 --log --job 68429069221 (http block)
• https://api.github.com/repos/github/gh-aw-firewall/actions/runs/23510263213/artifacts
  • Triggering command: /usr/bin/gh gh run download 23510263213 --name agent-artifacts --dir /tmp/agent-artifacts-run (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fix the failing GitHub Actions workflow agent
Analyze the workflow logs, identify the root cause of the failure, and implement a fix.
Job ID: 68429069221
Job URL: https://github.com/github/gh-aw-firewall/actions/runs/23510263213/job/68429069221

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Restores forwarding of GITHUB_API_URL into the agent container even when --enable-api-proxy is enabled, fixing Copilot CLI authentication regressions caused by removing that env var from the container environment.

Changes:

• Stop excluding GITHUB_API_URL from the agent environment when api-proxy is enabled.
• Make GITHUB_API_URL forwarding unconditional (when set) in generateDockerCompose.
• Update the unit test expectation so GITHUB_API_URL is present alongside COPILOT_API_URL under --env-all.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/docker-manager.ts	Ensures GITHUB_API_URL is no longer excluded/conditionally forwarded when api-proxy is enabled.
src/docker-manager.test.ts	Updates unit test to expect GITHUB_API_URL to be present with api-proxy + envAll.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change makes GITHUB_API_URL available in the agent when --enable-api-proxy is on, but the integration test tests/integration/api-proxy.test.ts still asserts the opposite ("should exclude GITHUB_API_URL…"). That test will now fail in CI (Integration Tests workflow runs --testPathPatterns="api-proxy"), so it should be updated/renamed to reflect the new intended behavior (expect GITHUB_API_URL to be present).

[github-actions]

Oracle Smoke Verdict

🔮 The ancient spirits stir; the firewall omens are read.

• PR: fix: restore GITHUB_API_URL in agent container when api-proxy is enabled
• PR: fix: exclude GITHUB_API_URL from agent container when api-proxy is enabled
• GitHub MCP merged PR review: ✅
• safeinputs-gh PR query: ❌ (tool unavailable in this runtime)
• Playwright title contains "GitHub": ✅
• Tavily search returned results: ❌ (Tavily MCP unavailable)
• File write + cat verification: ✅
• Discussion query + oracle comment: ❌ (required discussion tool unavailable)
• npm ci && npm run build: ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.