refactor(api-proxy): dedupe Azure OIDC helpers via shared github-oidc module

[Copilot]

Bug Fix

OidcTokenProvider in the Azure path was maintaining a second copy of GitHub OIDC minting/HTTP/proxy helper logic already centralized in github-oidc.js. This change removes that duplicate security-critical implementation so Azure, AWS, and GCP all share the same canonical helper behavior.

What was the bug?

Duplicate helper implementations in containers/api-proxy/oidc-token-provider.js (_mintGitHubOidcToken, _httpGet, _httpPost, _getProxyAgent) created drift risk in OIDC token minting and transport handling.

How did you fix it?

• Shared helper consolidation

  • Imported shared helpers from containers/api-proxy/github-oidc.js.
  • Replaced Azure-specific reimplementations with shared calls for GitHub OIDC minting and HTTP POST transport.

• Preserved Azure-specific timeout context

  • Wrapped shared httpPost timeout errors in _exchangeForAzureToken so Azure paths continue to emit Azure token exchange timeout for actionable logs/errors.

• Dead code removal

  • Removed now-unused class-level _httpGet and _getProxyAgent wrappers after delegating GitHub minting to shared helpers.

• Regression guards

  • Added focused coverage in oidc-token-provider.test.js asserting Azure mint flow sends:
    • configured audience query param
    • expected Authorization: Bearer <request token> header
  • Added a timeout-context test to ensure Azure timeout messaging is preserved.
  • Hardened the mint-contract server test with try/finally cleanup to always shut down server/provider.

const { mintGitHubOidcToken, httpPost } = require('./github-oidc');

async _mintGitHubOidcToken() {
  return mintGitHubOidcToken({
    requestUrl: this._requestUrl,
    requestToken: this._requestToken,
    audience: this._oidcAudience,
  });
}

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.84%	87.91%	📈 +0.07%
Statements	87.77%	87.85%	📈 +0.08%
Functions	82.78%	82.78%	➡️ +0.00%
Branches	79.72%	79.76%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	87.1% → 88.2% (+1.14%)	87.5% → 88.6% (+1.11%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR refactors the Azure OidcTokenProvider in containers/api-proxy to eliminate duplicated GitHub Actions OIDC minting / HTTP / proxy logic by delegating to the shared github-oidc helper module, aligning Azure with the existing AWS/GCP paths.

Changes:

• Replaced Azure’s in-file GitHub OIDC mint + HTTP/proxy helper implementations with calls into containers/api-proxy/github-oidc.js.
• Kept the Azure provider’s public/class method surface while switching implementation to shared helpers.
• Added a regression test asserting the GitHub OIDC mint request includes the configured audience query parameter and the expected Authorization header.

Show a summary per file

File	Description
containers/api-proxy/oidc-token-provider.js	Refactors Azure OIDC minting + HTTP/proxy helpers to delegate to the shared github-oidc module.
containers/api-proxy/oidc-token-provider.test.js	Adds a focused regression test to validate the GitHub OIDC mint request contract (audience + auth header).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

containers/api-proxy/oidc-token-provider.js:273

• Similar to _httpGet(), _getProxyAgent() is now unused within this class/repo after moving proxy handling into github-oidc.js. If it’s not meant as a supported override point, consider removing it to avoid dead code.

  /**
   * Build proxy agent from env vars when configured.
   * @param {URL} parsedUrl
   * @returns {import('http').Agent|undefined}
   */
  _getProxyAgent(parsedUrl) {
    return getProxyAgent(parsedUrl);
  }

• Files reviewed: 2/2 changed files
• Comments generated: 3

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit ce97001.

• Restored Azure-specific timeout context by mapping shared httpPost timeout errors to Azure token exchange timeout in _exchangeForAzureToken.
• Removed dead _httpGet and _getProxyAgent wrappers from OidcTokenProvider.
• Hardened the audience/header regression test with try/finally cleanup and added a focused timeout-context test.

[github-actions]

Smoke Test Results

• ❌ GitHub MCP (gh CLI auth error)
• ✅ Playwright (GitHub page verified)
• ✅ File Writing (test file created)
• ✅ Bash Tool (file verification passed)

Status: FAIL (gh CLI authentication issue)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
1. GitHub MCP	❌ 401 Bad credentials (MCP auth unavailable in this runner)
2. GitHub.com connectivity	⚠️ Pre-step data not substituted (template vars unexpanded)
3. File write/read	⚠️ Pre-step data not substituted (template vars unexpanded)
4. BYOK inference	✅ Agent responded via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — GitHub MCP returned 401; pre-step template variables were not expanded (smoke-data step outputs missing).

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results — PR #2887

Test	Result
GitHub MCP connectivity	❌ 401 (unauthenticated in agent env)
GitHub.com HTTP	⚠️ pre-step data not injected
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-25679124276.txt confirmed

Overall: PARTIAL — pre-step template variables were not substituted into the agent prompt, so HTTP code and PR data could not be validated. File test passed. MCP auth unavailable in this context.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌ No
Node.js	v24.14.1	v20.20.2	❌ No
Go	go1.22.12	go1.22.12	✅ Yes

Result: Not all tests passed — Python and Node.js versions differ between host and chroot. The smoke-chroot label was not applied.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	ok	✅ PASS
Go	env	✅	ok	✅ PASS
Go	uuid	✅	ok	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): The default Maven local repository path /home/runner/.m2/repository was not writable (owned by root). Tests were run successfully using -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo as a workaround.

Generated by Build Test Suite for issue #2887 · ● 419K · ◷

[github-actions]

Smoke test: FAIL
PRs: refactor(stats-formatter): make format-specific functions module-private; refactor: split src/cli.ts into focused modules
❌ GitHub MCP / safeinputs-gh checks unavailable
✅ Playwright title contains GitHub
❌ Tavily unavailable
✅ File write + bash readback
❌ Discussion query unavailable, skipped
✅ npm ci && npm run build

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results

Check	Result
Redis PING	❌ timeout (no response)
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ no response

Overall: FAIL — host.docker.internal is unreachable from this runner environment. Service containers may not be configured or the host alias is not resolvable.

🔌 Service connectivity validated by Smoke Services