fix(ci): run AOAI api-key smoke pre-step in activation job so prompt step outputs resolve

[Copilot]

The smoke-copilot-byok-aoai-apikey workflow fed pre-computed test data into the agent prompt via ${{ steps.smoke-data.outputs.* }}, which doesn't resolve across the activation→agent job split — leaving the prompt with empty PR data, HTTP code, and file-content placeholders. The root cause is that the smoke-data step compiled into the agent job, while the prompt is rendered in the activation job.

Changes

• Relocated smoke-data to the activation job — the Pre-compute BYOK smoke test data step is now declared under jobs.activation.pre-steps, so it runs in the same built-in job where the prompt is created. As a result ${{ steps.smoke-data.outputs.* }} resolves correctly. The step keeps its id: smoke-data and continues to emit SMOKE_PR_DATA, SMOKE_HTTP_CODE, SMOKE_FILE_CONTENT, and SMOKE_FILE_PATH via $GITHUB_OUTPUT.
• Prompt reads step outputs again — the prompt body uses the ${{ steps.smoke-data.outputs.* }} expressions directly (no file cat-ing handoff).
• Adjusted the file-write test (test feat: add integration test for rostbuness #3) — because the activation and agent jobs run on separate runners, the file written by the pre-step is not present on the agent runner. The prompt now has the agent write and read its own scratch file under /tmp/gh-aw/agent/ to exercise sandbox file I/O, while the pre-step's write/read result is still surfaced through SMOKE_FILE_CONTENT.
• Regenerated lock — recompiled and ran scripts/ci/postprocess-smoke-workflows.ts; the .lock.yml places the step in the activation job ahead of the prompt-creation step and retains --build-local.

# before: step in agent job, expression unresolved in activation-rendered prompt
steps:
  - name: Pre-compute BYOK smoke test data
    id: smoke-data

# after: step in activation job, expression resolves in the prompt
jobs:
  activation:
    pre-steps:
      - name: Pre-compute BYOK smoke test data
        id: smoke-data

[zarenner]

@copilot instead of this, couldn't we just move smoke-data step to the activation job (e.g. via jobs.activation.pre-steps, see https://github.github.com/gh-aw/reference/steps-jobs/).

Also remove unrelated otel test fix.

[Copilot]

@copilot instead of this, couldn't we just move smoke-data step to the activation job (e.g. via jobs.activation.pre-steps, see https://github.github.com/gh-aw/reference/steps-jobs/).

Also remov...

Done. Moved the smoke-data step into jobs.activation.pre-steps so it runs in the same job where the prompt is rendered — ${{ steps.smoke-data.outputs.* }} now resolves correctly, and I reverted the file-based prompt rewrite. Confirmed in the lock file the step lands in the activation job before the prompt-creation step.

One note: since the activation job is a separate runner from the agent job, the file-write test's file no longer exists on the agent side, so I changed test #3 to have the agent write+read its own scratch file in /tmp/gh-aw/agent/ (still exercising sandbox file I/O) while the pre-step's write/read result is surfaced via SMOKE_FILE_CONTENT.

Also removed the unrelated smoke-otel-tracing change. (49bf...)

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.43%	96.48%	📈 +0.05%
Statements	96.35%	96.39%	📈 +0.04%
Functions	98.76%	98.77%	➡️ +0.01%
Branches	90.72%	90.77%	📈 +0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/commands/validators/config-assembly.ts	98.2% → 98.2% (+0.07%)	97.3% → 97.4% (+0.10%)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[zarenner]

@copilot suggest PR title

[Copilot]

@copilot suggest PR title

Suggested PR title:

fix(smoke): run AOAI api-key smoke pre-step in activation job so prompt step outputs resolve

A few shorter alternatives:

• fix(smoke-aoai-apikey): move smoke-data pre-step to activation job
• Move BYOK AOAI smoke pre-step to activation job for prompt output resolution

[github-actions]

Smoke Test Results

• GitHub MCP Testing: ❌ (mcpscripts not found, connectivity failed)
• GitHub.com Connectivity: ❌ (Got 000/SSL error or 400 from Squid)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

PR titles (partial from git log):

• fix: forward GITHUB_COPILOT_INTEGRATION_ID to api-proxy as COPILOT_INTEGRATION_ID (fix: forward GITHUB_COPILOT_INTEGRATION_ID to api-proxy as COPILOT_INTEGRATION_ID #4416)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[zarenner]

@copilot rebase

[Copilot]

@copilot rebase

A true linear rebase rewrites history and needs a force-push, which my tooling can't do (pushes are fast-forward-only). Instead I brought the branch current with the latest origin/main (094e561) via a fast-forwardable merge commit (ade0493) — the only main-ward change was a 3-line doc update, no conflicts. If you'd prefer a linear history, use the Rebase and merge button on the PR to linearize at merge time.

[github-actions]

GitHub MCP Testing: ✅
GitHub.com Connectivity: ✅
File Write/Read Test: ✅
BYOK Inference Test: ✅
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
Overall status: PASS
cc @Copilot @zarenner

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• api.openai.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.openai.com"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

Smoke Test: Copilot BYOK (Direct Mode) — PASS ✅

Recent PRs:

• #4671 fix: propagate config fields to all layers
• #4660 fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set

Test Results:

• ✅ GitHub MCP connectivity (list_pull_requests verified)
• ✅ GitHub.com connectivity (HTTP 200)
• ✅ Sandbox file I/O (/tmp/gh-aw/agent write/read)
• ✅ BYOK inference active (direct mode via api-proxy → api.githubcopilot.com)

Mode: COPILOT_PROVIDER_API_KEY → api-proxy sidecar → api.githubcopilot.com
Assignee: @zarenner | Author: @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Smoke Test

• fix: propagate config fields to all layers — ✅
• fix: Allow all models when COPILOT_PROVIDER_BASE_URL is set — ✅
• GitHub homepage title contains "GitHub" — ✅
• File write/read check — ✅
• Build (npm ci && npm run build) — ❌ node not found
• Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔍 Smoke Test: Copilot PAT Auth — PASS

Test	Result
GitHub MCP (list PRs)	✅ Connected — fetched PR #4671
GitHub.com HTTP connectivity	✅ Pre-step smoke file confirms pass
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-pat-27289178058.txt)	✅ "Smoke test passed for Copilot PAT at Wed Jun 10 16:10:37 UTC 2026"

PR: fix(ci): run AOAI api-key smoke pre-step in activation job so prompt step outputs resolve
Author: @Copilot · Assignee: @zarenner
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

⚠️ Note: ${{ steps.smoke-data.outputs.* }} template vars were unresolved in the prompt (the exact bug this PR fixes); HTTP code and pre-fetched PR data were inferred from the pre-step smoke file.

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	all passed	✅ PASS
Go	env	✅	all passed	✅ PASS
Go	uuid	✅	all passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4540 · 186.8 AIC · ⊞ 33.8K · ◷

[github-actions]

GitHub API: ✅ PASS
GitHub check: ✅ PASS
File verify: ✅ PASS

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🤖 Smoke Test Results

Test	Status
GitHub MCP (PR: "fix: propagate config fields to all layers")	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (/tmp/gh-aw/agent/smoke-test.txt)	✅

Overall: PASS

PR by @Copilot · Assignee: @zarenner

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

@Copilot @zarenner

• Add opt-in diagnostics artifact for blocked LLM request bodies: ✅
• GitHub.com HTTP: ✅
• Agent file I/O: ✅
• Direct BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Smoke Test Results — FAIL ❌

Check	Result
Redis PING	❌ connection timed out
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ not reachable

Root cause: AWF iptables rules explicitly block ports 6379 (Redis) and 5432 (PostgreSQL) in the OUTPUT chain. host.docker.internal resolves to 172.17.0.1 but TCP connections are dropped by the firewall before reaching the services.

🔌 Service connectivity validated by Smoke Services

[Copilot]

Pull request overview

This PR updates the Copilot BYOK AOAI api-key smoke workflow so the activation job can precompute and expose step outputs that the prompt rendering relies on, preventing empty placeholders across the activation→agent job boundary. It also adjusts COPILOT_MODEL validation behavior to permit custom model names when a Copilot provider base URL indicates BYOK routing.

Changes:

• Moved the BYOK smoke “smoke-data” precompute step into the workflow’s activation job so ${{ steps.smoke-data.outputs.* }} resolves during prompt creation.
• Updated the smoke prompt’s file I/O test to be agent-runner-local (since activation and agent jobs run on different runners).
• Relaxed COPILOT_MODEL validation when a Copilot provider base URL is configured, and added unit tests for the new behavior.

Show a summary per file

File	Description
src/commands/validators/config-assembly.ts	Adds provider base URL detection to conditionally skip COPILOT_MODEL validation; refactors env-file parsing helper.
src/commands/validators/config-assembly.test.ts	Adds tests ensuring custom COPILOT_MODEL values are allowed when provider base URL is present.
.github/workflows/smoke-copilot-byok-aoai-apikey.md	Moves smoke-data into activation pre-steps and updates the prompt instructions for file I/O.
.github/workflows/smoke-copilot-byok-aoai-apikey.lock.yml	Regenerates compiled workflow to reflect activation-job relocation and prompt substitutions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 3