vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 09:30:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(onboard): support non-interactive GitHub Copilot token auth

Browse Source 
Add manifest-owned GitHub Copilot token support for non-interactive onboarding, including documented env fallback, ref-mode tokenRef storage, saved-profile reuse, and default model wiring that preserves existing primary model configuration.

Validation:
- pnpm test extensions/github-copilot/index.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/onboard-non-interactive/local/auth-choice-inference.test.ts
- pnpm check:changed
- CI green on aadac2c8d4
This commit is contained in:
Val Alexander
2026-04-26 22:56:20 -05:00
committed by GitHub
parent 18b76e3995
commit 461c10bb51
6 changed files with 498 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
- Matrix/E2EE: stabilize recovery and broken-device QA flows while avoiding Matrix device-cleanup sync races that could leave shutdown-time crypto work running. Thanks @gumadeiras.
- Cron: classify isolated runs as errors from structured embedded-run execution-denial metadata, with final-output marker fallback for `SYSTEM_RUN_DENIED`, `INVALID_REQUEST`, and approval-binding refusals, so blocked commands no longer appear green in cron history. Fixes #67172; carries forward #67186. Thanks @oc-gh-dr, @hclsys, and @1yihui.
- Onboarding/GitHub Copilot: add manifest-owned `--github-copilot-token` support for non-interactive setup, including env fallback, tokenRef storage in ref mode, saved-profile reuse, and current Copilot default-model wiring. Refs #50002 and supersedes #50003. Thanks @scottgl9.
- Gateway/install: add a validated `--wrapper`/`OPENCLAW_WRAPPER` service install path that persists executable LaunchAgent/systemd wrappers across forced reinstalls, updates, and doctor repairs instead of falling back to raw node/bun `ProgramArguments`. Fixes #69400. (#72445) Thanks @willtmc.
- macOS Gateway: write launchd services with a state-dir `WorkingDirectory`, use a durable state-dir temp path instead of freezing macOS session `TMPDIR`, create that temp directory before bootstrap, and label abort-shaped launchd exits as `SIGABRT/abort` in status output. Fixes #53679 and #70223; refs #71848. Thanks @dlturock, @stammi922, and @palladius.
- Exec approvals: accept runtime-owned `source: "allow-always"` and `commandText` allowlist metadata in gateway and node approval-set payloads so Control UI round-trips no longer fail with `unexpected property 'source'`. Fixes #60000; carries forward #60064. Thanks @sd1471123, @sharkqwy, and @luoyanglang.

24
docs/providers/github-copilot.md
View File

@@ -1,5 +1,5 @@
---
summary: "Sign in to GitHub Copilot from OpenClaw using the device flow"
summary: "Sign in to GitHub Copilot from OpenClaw using the device flow or non-interactive token import"
read_when:
- You want to use GitHub Copilot as a model provider
- You need the `openclaw models auth login-github-copilot` flow
@@ -73,6 +73,24 @@ openclaw models auth login-github-copilot --yes
openclaw models auth login --provider github-copilot --method device --set-default
```
## Non-interactive onboarding
If you already have a GitHub OAuth access token for Copilot, import it during
headless setup with `openclaw onboard --non-interactive`:
```bash
openclaw onboard --non-interactive --accept-risk \
--auth-choice github-copilot \
--github-copilot-token "$COPILOT_GITHUB_TOKEN" \
--skip-channels --skip-health
```
You can also omit `--auth-choice`; passing `--github-copilot-token` infers the
GitHub Copilot provider auth choice. If the flag is omitted, onboarding falls
back to `COPILOT_GITHUB_TOKEN`, `GH_TOKEN`, then `GITHUB_TOKEN`. Use
`--secret-input-mode ref` with `COPILOT_GITHUB_TOKEN` set to store an env-backed
`tokenRef` instead of plaintext in `auth-profiles.json`.
<AccordionGroup>
<Accordion title="Interactive TTY required">
The device-login flow requires an interactive TTY. Run it directly in a
@@ -122,8 +140,8 @@ openclaw models auth login --provider github-copilot --method device --set-defau
</AccordionGroup>
<Warning>
Requires an interactive TTY. Run the login command directly in a terminal, not
inside a headless script or CI job.
The device-login command requires an interactive TTY. Use non-interactive
onboarding when you need headless setup.
</Warning>
## Memory search embeddings

252
extensions/github-copilot/index.test.ts
View File

@@ -1,4 +1,11 @@
import { describe, expect, it, vi } from "vitest";
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { afterEach, describe, expect, it, vi } from "vitest";
import {
clearRuntimeAuthProfileStoreSnapshots,
ensureAuthProfileStore,
} from "../../src/agents/auth-profiles.js";
import { createTestPluginApi } from "../../test/helpers/plugins/plugin-api.js";
const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
@@ -12,6 +19,19 @@ vi.mock("./register.runtime.js", () => ({
import plugin from "./index.js";
const tempDirs: string[] = [];
afterEach(async () => {
clearRuntimeAuthProfileStoreSnapshots();
await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
});
async function createAgentDir() {
const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-github-copilot-test-"));
tempDirs.push(dir);
return dir;
}
function _registerProvider() {
return registerProviderWithPluginConfig({});
}
@@ -116,4 +136,234 @@ describe("github-copilot plugin", () => {
},
});
});
it("stores GitHub Copilot token from non-interactive onboarding", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: {},
baseConfig: {},
opts: { githubCopilotToken: "ghu_test\r\n123" },
runtime,
agentDir,
resolveApiKey: vi.fn(async () => ({
key: "ghu_test123",
source: "flag" as const,
})),
toApiKeyCredential: vi.fn(),
});
expect(runtime.error).not.toHaveBeenCalled();
expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
provider: "github-copilot",
mode: "token",
});
expect(result?.agents?.defaults?.model).toEqual({
primary: "github-copilot/claude-opus-4.7",
});
expect(result?.agents?.defaults?.models?.["github-copilot/claude-opus-4.7"]).toEqual({});
const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
expect(profile).toEqual({
type: "token",
provider: "github-copilot",
token: "ghu_test123",
});
});
it("stores env-backed token refs for non-interactive onboarding ref mode", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: { agents: { defaults: { model: { fallbacks: ["openai/gpt-5.4"] } } } },
baseConfig: {},
opts: { secretInputMode: "ref" },
runtime,
agentDir,
resolveApiKey: vi.fn(async () => ({
key: "ghu_from_env",
source: "env" as const,
envVarName: "COPILOT_GITHUB_TOKEN",
})),
toApiKeyCredential: vi.fn(),
});
expect(runtime.error).not.toHaveBeenCalled();
expect(result?.agents?.defaults?.model).toEqual({
fallbacks: ["openai/gpt-5.4"],
primary: "github-copilot/claude-opus-4.7",
});
const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
expect(profile).toEqual({
type: "token",
provider: "github-copilot",
tokenRef: {
source: "env",
provider: "default",
id: "COPILOT_GITHUB_TOKEN",
},
});
});
it("falls back to GH_TOKEN during non-interactive onboarding", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
const resolveApiKey = vi.fn(async ({ envVar }: { envVar?: string }) =>
envVar === "GH_TOKEN"
? {
key: "ghu_from_gh_token",
source: "env" as const,
envVarName: "GH_TOKEN",
}
: null,
);
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: {},
baseConfig: {},
opts: {},
runtime,
agentDir,
resolveApiKey,
toApiKeyCredential: vi.fn(),
});
expect(runtime.error).not.toHaveBeenCalled();
expect(resolveApiKey).toHaveBeenCalledWith(
expect.objectContaining({ envVar: "COPILOT_GITHUB_TOKEN" }),
);
expect(resolveApiKey).toHaveBeenCalledWith(expect.objectContaining({ envVar: "GH_TOKEN" }));
expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
provider: "github-copilot",
mode: "token",
});
const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
expect(profile).toEqual({
type: "token",
provider: "github-copilot",
token: "ghu_from_gh_token",
});
});
it("preserves an existing primary model during non-interactive onboarding", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: {
agents: {
defaults: {
model: {
primary: "github-copilot/gpt-5.4",
fallbacks: ["openai/gpt-5.4"],
},
models: {
"github-copilot/gpt-5.4": { label: "Existing" },
},
},
},
},
baseConfig: {},
opts: { githubCopilotToken: "ghu_test" },
runtime,
agentDir,
resolveApiKey: vi.fn(async () => ({
key: "ghu_test",
source: "flag" as const,
})),
toApiKeyCredential: vi.fn(),
});
expect(runtime.error).not.toHaveBeenCalled();
expect(result?.agents?.defaults?.model).toEqual({
primary: "github-copilot/gpt-5.4",
fallbacks: ["openai/gpt-5.4"],
});
expect(result?.agents?.defaults?.models).toEqual({
"github-copilot/gpt-5.4": { label: "Existing" },
});
});
it("reuses an existing token profile during non-interactive onboarding", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
await fs.writeFile(
path.join(agentDir, "auth-profiles.json"),
JSON.stringify({
version: 1,
profiles: {
"github-copilot:github": {
type: "token",
provider: "github-copilot",
token: "existing-token",
},
},
}),
);
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: {},
baseConfig: {},
opts: {},
runtime,
agentDir,
resolveApiKey: vi.fn(async () => null),
toApiKeyCredential: vi.fn(),
});
expect(runtime.error).not.toHaveBeenCalled();
expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
provider: "github-copilot",
mode: "token",
});
});
it("does not emit a second missing-token error after ref-mode flag validation fails", async () => {
const provider = registerProviderWithPluginConfig({});
const method = provider.auth[0];
const agentDir = await createAgentDir();
const runtime = { error: vi.fn(), exit: vi.fn() };
const result = await method.runNonInteractive({
authChoice: "github-copilot",
config: {},
baseConfig: {},
opts: {
githubCopilotToken: "ghu_secret",
secretInputMode: "ref",
},
runtime,
agentDir,
resolveApiKey: vi.fn(async () => null),
toApiKeyCredential: vi.fn(),
});
expect(result).toBeNull();
expect(runtime.error).toHaveBeenCalledTimes(1);
expect(runtime.error).toHaveBeenCalledWith(
[
"--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
"Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
].join("\n"),
);
});
});

204
extensions/github-copilot/index.ts
View File

@@ -1,6 +1,18 @@
import { resolvePluginConfigObject, type OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
import { definePluginEntry, type ProviderAuthContext } from "openclaw/plugin-sdk/plugin-entry";
import { ensureAuthProfileStore } from "openclaw/plugin-sdk/provider-auth";
import {
definePluginEntry,
type ProviderAuthContext,
type ProviderAuthMethodNonInteractiveContext,
} from "openclaw/plugin-sdk/plugin-entry";
import {
applyAuthProfileConfig,
coerceSecretRef,
ensureAuthProfileStore,
listProfilesForProvider,
normalizeOptionalSecretInput,
resolveDefaultSecretProviderAlias,
upsertAuthProfileWithLock,
} from "openclaw/plugin-sdk/provider-auth";
import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
import { resolveFirstGithubToken } from "./auth.js";
import { githubCopilotMemoryEmbeddingProviderAdapter } from "./embeddings.js";
@@ -9,6 +21,8 @@ import { buildGithubCopilotReplayPolicy } from "./replay-policy.js";
import { wrapCopilotProviderStream } from "./stream.js";
const COPILOT_ENV_VARS = ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
const DEFAULT_COPILOT_MODEL = "github-copilot/claude-opus-4.7";
const DEFAULT_COPILOT_PROFILE_ID = "github-copilot:github";
const COPILOT_XHIGH_MODEL_IDS = ["gpt-5.4", "gpt-5.3-codex", "gpt-5.2", "gpt-5.2-codex"] as const;
type GithubCopilotPluginConfig = {
@@ -20,6 +34,187 @@ type GithubCopilotPluginConfig = {
async function loadGithubCopilotRuntime() {
return await import("./register.runtime.js");
}
function applyCopilotDefaultModel(cfg: OpenClawConfig): OpenClawConfig {
const defaults = cfg.agents?.defaults;
const existingModel = defaults?.model;
const existingPrimary =
typeof existingModel === "string"
? existingModel.trim()
: typeof existingModel === "object" && typeof existingModel?.primary === "string"
? existingModel.primary.trim()
: "";
if (existingPrimary) {
return cfg;
}
const fallbacks =
typeof existingModel === "object" && existingModel !== null && "fallbacks" in existingModel
? (existingModel as { fallbacks?: string[] }).fallbacks
: undefined;
return {
...cfg,
agents: {
...cfg.agents,
defaults: {
...defaults,
model: {
...(fallbacks ? { fallbacks } : undefined),
primary: DEFAULT_COPILOT_MODEL,
},
models: {
...defaults?.models,
[DEFAULT_COPILOT_MODEL]: defaults?.models?.[DEFAULT_COPILOT_MODEL] ?? {},
},
},
},
};
}
function resolveExistingCopilotTokenProfileId(agentDir?: string): string | undefined {
const authStore = ensureAuthProfileStore(agentDir, {
allowKeychainPrompt: false,
});
return listProfilesForProvider(authStore, PROVIDER_ID).find((profileId) => {
const profile = authStore.profiles[profileId];
if (profile?.type !== "token") {
return false;
}
return Boolean(
normalizeOptionalSecretInput(profile.token) || coerceSecretRef(profile.tokenRef)?.id.trim(),
);
});
}
async function resolveCopilotNonInteractiveToken(
ctx: ProviderAuthMethodNonInteractiveContext,
flagValue: string | undefined,
) {
const resolveFromEnvChain = async () => {
for (const envVar of COPILOT_ENV_VARS) {
const resolved = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagName: "--github-copilot-token",
envVar,
envVarName: envVar,
allowProfile: false,
required: false,
});
if (resolved) {
return resolved;
}
}
return null;
};
if (ctx.opts.secretInputMode === "ref") {
const resolved = await resolveFromEnvChain();
if (resolved) {
return resolved;
}
if (flagValue) {
ctx.runtime.error(
[
"--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
"Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
].join("\n"),
);
ctx.runtime.exit(1);
}
return null;
}
const primary = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagValue,
flagName: "--github-copilot-token",
envVar: COPILOT_ENV_VARS[0],
envVarName: COPILOT_ENV_VARS[0],
allowProfile: false,
required: false,
});
if (primary || flagValue) {
return primary;
}
for (const envVar of COPILOT_ENV_VARS.slice(1)) {
const resolved = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagName: "--github-copilot-token",
envVar,
envVarName: envVar,
allowProfile: false,
required: false,
});
if (resolved) {
return resolved;
}
}
return null;
}
async function runGitHubCopilotNonInteractiveAuth(
ctx: ProviderAuthMethodNonInteractiveContext,
): Promise<OpenClawConfig | null> {
const opts = ctx.opts as Record<string, unknown> | undefined;
const flagValue = normalizeOptionalSecretInput(opts?.githubCopilotToken);
const resolved = await resolveCopilotNonInteractiveToken(ctx, flagValue);
let profileId = DEFAULT_COPILOT_PROFILE_ID;
if (resolved) {
const useTokenRef = ctx.opts.secretInputMode === "ref" && resolved.source === "env";
if (useTokenRef && !resolved.envVarName) {
ctx.runtime.error(
[
'--secret-input-mode ref requires an explicit environment variable for provider "github-copilot".',
"Set COPILOT_GITHUB_TOKEN in env and retry, or use --secret-input-mode plaintext.",
].join("\n"),
);
ctx.runtime.exit(1);
return null;
}
await upsertAuthProfileWithLock({
profileId,
credential: {
type: "token",
provider: PROVIDER_ID,
...(useTokenRef
? {
tokenRef: {
source: "env",
provider: resolveDefaultSecretProviderAlias(ctx.baseConfig, "env", {
preferFirstProviderForSource: true,
}),
id: resolved.envVarName!,
},
}
: { token: resolved.key }),
},
agentDir: ctx.agentDir,
});
} else {
if (flagValue && ctx.opts.secretInputMode === "ref") {
return null;
}
const existingProfileId = resolveExistingCopilotTokenProfileId(ctx.agentDir);
if (!existingProfileId) {
ctx.runtime.error(
"Missing --github-copilot-token (or COPILOT_GITHUB_TOKEN / GH_TOKEN / GITHUB_TOKEN env var) for --auth-choice github-copilot.",
);
ctx.runtime.exit(1);
return null;
}
profileId = existingProfileId;
}
return applyCopilotDefaultModel(
applyAuthProfileConfig(ctx.config, {
profileId,
provider: PROVIDER_ID,
mode: "token",
}),
);
}
export default definePluginEntry({
id: "github-copilot",
name: "GitHub Copilot Provider",
@@ -74,11 +269,11 @@ export default definePluginEntry({
return {
profiles: [
{
profileId: "github-copilot:github",
profileId: DEFAULT_COPILOT_PROFILE_ID,
credential,
},
],
defaultModel: "github-copilot/claude-opus-4.7",
defaultModel: DEFAULT_COPILOT_MODEL,
};
}
@@ -96,6 +291,7 @@ export default definePluginEntry({
hint: "Browser device-code flow",
kind: "device_code",
run: async (ctx) => await runGitHubCopilotAuth(ctx),
runNonInteractive: async (ctx) => await runGitHubCopilotNonInteractiveAuth(ctx),
},
],
wizard: {

6
extensions/github-copilot/openclaw.plugin.json
View File

@@ -17,7 +17,11 @@
"choiceHint": "Device login with your GitHub account",
"groupId": "copilot",
"groupLabel": "Copilot",
"groupHint": "GitHub + local proxy"
"groupHint": "GitHub + local proxy",
"optionKey": "githubCopilotToken",
"cliFlag": "--github-copilot-token",
"cliOption": "--github-copilot-token <token>",
"cliDescription": "GitHub Copilot OAuth token"
}
],
"configSchema": {

20
src/plugins/contracts/registry.contract.test.ts
View File

@@ -120,6 +120,26 @@ describe("plugin contract registry", () => {
}
});
it("exposes the GitHub Copilot non-interactive onboarding token flag from manifest metadata", () => {
const registry = loadPluginManifestRegistry({});
const plugin = registry.plugins.find(
(entry) => entry.origin === "bundled" && entry.id === "github-copilot",
);
expect(plugin?.providerAuthChoices).toEqual(
expect.arrayContaining([
expect.objectContaining({
provider: "github-copilot",
method: "device",
choiceId: "github-copilot",
optionKey: "githubCopilotToken",
cliFlag: "--github-copilot-token",
cliOption: "--github-copilot-token <token>",
}),
]),
);
});
it("covers every bundled speech plugin discovered from manifests", () => {
expectRegistryPluginIds({
actualPluginIds: pluginRegistrationContractRegistry