fix: support GitHub Enterprise authentication in Copilot CLI agent#314724
Open
fighterii wants to merge 3 commits intomicrosoft:mainfrom
Open
fix: support GitHub Enterprise authentication in Copilot CLI agent#314724fighterii wants to merge 3 commits intomicrosoft:mainfrom
fighterii wants to merge 3 commits intomicrosoft:mainfrom
Conversation
Author
|
@microsoft-github-policy-service agree |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to make Copilot CLI agent sessions work against GitHub Enterprise (GHE) by using the GHE-aware Copilot API endpoint returned during token exchange and (for GHE) using the Copilot JWT rather than the raw OAuth token.
Changes:
- Update CLI SDK auth resolution to use
getCopilotToken()and prefercopilotToken.endpoints.apifor the effective Copilot API URL. - Plumb the effective Copilot API URL into session options (
copilotUrl) so sessions target the correct API. - Add unit tests covering GHE host/token selection and endpoint fallback behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| extensions/copilot/src/extension/chatSessions/copilotcli/node/copilotCli.ts | Adds GHE host/API URL resolution and switches GHE auth to Copilot JWT + endpoint-based API URL. |
| extensions/copilot/src/extension/chatSessions/copilotcli/node/copilotcliSessionService.ts | Sets copilotUrl using the SDK’s resolved effective Copilot API URL (in addition to proxy override). |
| extensions/copilot/src/extension/chatSessions/copilotcli/node/test/copilotCliAuth.spec.ts | Adds tests for GHE host/token usage, endpoint preference, and fallback behavior. |
The Copilot CLI SDK did not work with GitHub Enterprise (GHE) deployments because of two issues: 1. The API URL was not correctly resolved for GHE instances. The SDK needs the Copilot API URL from the token exchange response (endpoints.api) rather than assuming a URL pattern. 2. The SDK received the GitHub OAuth token for authentication, but GHE's Copilot API validates model entitlements using the Copilot JWT token obtained during token exchange. Changes: - getAuthInfo() now resolves the Copilot API URL from the token's endpoints.api field, falling back to a derived URL based on the GHE host. - For GHE, use the Copilot JWT token instead of the OAuth token. - resolveGitHubHost() returns the configured GHE URI as the auth host. - resolveEffectiveCopilotApiUrl() exposed on the interface for session options to use the token-based URL resolution. - The session service now uses the async token-aware URL resolution for copilotUrl in session options. Fixes microsoft#304075
fighterii
force-pushed
the
fix/copilot-cli-ghe-auth
branch
from
9a5e9dd to
9d2d416
Compare
fighterii
force-pushed
the
fix/copilot-cli-ghe-auth
branch
2 times, most recently
from
4273989 to
83286ce
Compare
fighterii
force-pushed
the
fix/copilot-cli-ghe-auth
branch
from
83286ce to
52c455e
Compare
This was referenced May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Copilot CLI Agent does not work with GitHub Enterprise (GHE) deployments. Two issues prevent GHE users from using the CLI agent:
copilot-api.github.combut GHE deployments use a different Copilot API endpoint (typicallycopilot-api.<ghe-host>).Fixes #304075
Solution
Changes are limited to
extensions/copilot/src/extension/chatSessions/copilotcli/node/copilotCli.ts:resolveGitHubHost()github-enterprise.urisetting viaURI.parse()to extract onlyscheme://authority, stripping any trailing slash, path, or query parameters.resolveCopilotApiUrl()https), deriving{scheme}://copilot-api.{authority}as a fallback URL.getAuthInfo()(GHE path)getCopilotToken()call to only run for GHE auth (AuthProviderId.GitHubEnterprise), avoiding unnecessary network calls for github.com users.getCopilotToken()in try/catch so OAuth fallback is reachable if token minting fails.process.env['COPILOT_API_URL']only for GHE; clears it otherwise to prevent stale state on provider switch.copilotUser.endpoints.apiin theTokenAuthInforeturn value (not through the session'scopilotUrlwhich would incorrectly trigger hmac/proxy mode).Testing
Added 5 new unit tests in
copilotCliAuth.spec.ts:copilot-api.{host}URL when token has no endpointsgetCopilotToken()throws'https://github.com'host per SDK type constraint