fix(cli): exclude GITHUB_API_URL when api-proxy is enabled (#1303)

Claude · web-flow · commit 02d71c3cb7dc · 2026-03-14T12:07:58.000-07:00
* Initial plan * fix(cli): exclude GITHUB_API_URL when api-proxy is enabled On GHES, workflows set GITHUB_API_URL to the GHES API endpoint (e.g., https://api.ghes-host). When api-proxy is enabled, this variable should NOT be passed to the agent container, because Copilot CLI would use it for Copilot API requests, which don't exist on GHES API. Instead, the agent should use COPILOT_API_URL pointing to the proxy, which correctly routes Copilot API requests to api.enterprise.githubcopilot.com (not the GHES API which lacks Copilot endpoints). This fix ensures: - GITHUB_API_URL is excluded from agent env when --enable-api-proxy is set - COPILOT_API_URL takes precedence for Copilot API routing - The API proxy's deriveCopilotApiTarget() correctly determines the endpoint Fixes: github/gh-aw#20875 --------- Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -483,7 +483,13 @@ export function generateDockerCompose(
     if (process.env.XDG_CONFIG_HOME) environment.XDG_CONFIG_HOME = process.env.XDG_CONFIG_HOME;
     // Enterprise environment variables — needed for GHEC/GHES Copilot authentication
     if (process.env.GITHUB_SERVER_URL) environment.GITHUB_SERVER_URL = process.env.GITHUB_SERVER_URL;
-    if (process.env.GITHUB_API_URL) environment.GITHUB_API_URL = process.env.GITHUB_API_URL;
+    // GITHUB_API_URL — only pass when api-proxy is NOT enabled.
+    // On GHES, workflows set GITHUB_API_URL to the GHES API endpoint (e.g., https://api.ghes-host).
+    // When api-proxy is enabled, Copilot CLI must use COPILOT_API_URL (pointing to the proxy)
+    // instead of GITHUB_API_URL, because the proxy correctly routes Copilot API requests to
+    // api.enterprise.githubcopilot.com (not the GHES API which lacks Copilot endpoints).
+    // See: github/gh-aw#20875
+    if (process.env.GITHUB_API_URL && !config.enableApiProxy) environment.GITHUB_API_URL = process.env.GITHUB_API_URL;
   }
 
   // Forward one-shot-token debug flag if set (used for testing/debugging)
diff --git a/tests/integration/api-proxy.test.ts b/tests/integration/api-proxy.test.ts
@@ -250,4 +250,54 @@ describe('API Proxy Sidecar', () => {
     expect(result).toSucceed();
     expect(result.stdout).toContain('"copilot":true');
   }, 180000);
+
+  test('should exclude GITHUB_API_URL from agent when api-proxy is enabled (GHES fix)', async () => {
+    // On GHES, workflows set GITHUB_API_URL to the GHES API endpoint (e.g., https://api.ghes-host).
+    // When api-proxy is enabled, GITHUB_API_URL should NOT be passed to the agent container,
+    // because Copilot CLI would use it for Copilot API requests, which don't exist on GHES API.
+    // Instead, the agent should use COPILOT_API_URL pointing to the proxy, which correctly
+    // routes to api.enterprise.githubcopilot.com.
+    // See: github/gh-aw#20875
+    const result = await runner.runWithSudo(
+      'bash -c "if [ -z \\"$GITHUB_API_URL\\" ]; then echo GITHUB_API_URL_NOT_SET; else echo GITHUB_API_URL=$GITHUB_API_URL; fi"',
+      {
+        allowDomains: ['api.githubcopilot.com'],
+        enableApiProxy: true,
+        buildLocal: true,
+        logLevel: 'debug',
+        timeout: 120000,
+        env: {
+          COPILOT_GITHUB_TOKEN: 'ghp_fake-test-token-12345',
+          // Simulate GHES workflow passing GITHUB_API_URL
+          GITHUB_API_URL: 'https://api.ghes-host.example.com',
+        },
+      }
+    );
+
+    expect(result).toSucceed();
+    // GITHUB_API_URL should NOT be set in agent container when api-proxy is enabled
+    expect(result.stdout).toContain('GITHUB_API_URL_NOT_SET');
+    // COPILOT_API_URL should point to the proxy instead
+    expect(result.stdout).toContain(`COPILOT_API_URL=http://${API_PROXY_IP}:10002`);
+  }, 180000);
+
+  test('should pass GITHUB_API_URL to agent when api-proxy is NOT enabled', async () => {
+    // When api-proxy is disabled, GITHUB_API_URL should be passed through normally
+    const result = await runner.runWithSudo(
+      'bash -c "echo GITHUB_API_URL=$GITHUB_API_URL"',
+      {
+        allowDomains: ['api.githubcopilot.com'],
+        enableApiProxy: false,
+        buildLocal: true,
+        logLevel: 'debug',
+        timeout: 120000,
+        env: {
+          GITHUB_API_URL: 'https://api.github.com',
+        },
+      }
+    );
+
+    expect(result).toSucceed();
+    expect(result.stdout).toContain('GITHUB_API_URL=https://api.github.com');
+  }, 180000);
 });
