feat(onboard): support non-interactive GitHub Copilot token auth

Add manifest-owned GitHub Copilot token support for non-interactive onboarding, including documented env fallback, ref-mode tokenRef storage, saved-profile reuse, and default model wiring that preserves existing primary model configuration. Validation: - pnpm test extensions/github-copilot/index.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/onboard-non-interactive/local/auth-choice-inference.test.ts - pnpm check:changed - CI green on aadac2c8d4
2026-05-06 20:00:42 +00:00 · 2026-04-26 22:56:20 -05:00
parent 18b76e3995
commit 461c10bb51
6 changed files with 498 additions and 9 deletions
--- a/extensions/github-copilot/index.test.ts
+++ b/extensions/github-copilot/index.test.ts
@@ -1,4 +1,11 @@
-import { describe, expect, it, vi } from "vitest";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  ensureAuthProfileStore,
+} from "../../src/agents/auth-profiles.js";
 import { createTestPluginApi } from "../../test/helpers/plugins/plugin-api.js";

 const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
@@ -12,6 +19,19 @@ vi.mock("./register.runtime.js", () => ({

 import plugin from "./index.js";

+const tempDirs: string[] = [];
+
+afterEach(async () => {
+  clearRuntimeAuthProfileStoreSnapshots();
+  await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
+});
+
+async function createAgentDir() {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-github-copilot-test-"));
+  tempDirs.push(dir);
+  return dir;
+}
+
 function _registerProvider() {
  return registerProviderWithPluginConfig({});
 }
@@ -116,4 +136,234 @@ describe("github-copilot plugin", () => {
      },
    });
  });
+
+  it("stores GitHub Copilot token from non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: { githubCopilotToken: "ghu_test\r\n123" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_test123",
+        source: "flag" as const,
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+    expect(result?.agents?.defaults?.model).toEqual({
+      primary: "github-copilot/claude-opus-4.7",
+    });
+    expect(result?.agents?.defaults?.models?.["github-copilot/claude-opus-4.7"]).toEqual({});
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      token: "ghu_test123",
+    });
+  });
+
+  it("stores env-backed token refs for non-interactive onboarding ref mode", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: { agents: { defaults: { model: { fallbacks: ["openai/gpt-5.4"] } } } },
+      baseConfig: {},
+      opts: { secretInputMode: "ref" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_from_env",
+        source: "env" as const,
+        envVarName: "COPILOT_GITHUB_TOKEN",
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.agents?.defaults?.model).toEqual({
+      fallbacks: ["openai/gpt-5.4"],
+      primary: "github-copilot/claude-opus-4.7",
+    });
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      tokenRef: {
+        source: "env",
+        provider: "default",
+        id: "COPILOT_GITHUB_TOKEN",
+      },
+    });
+  });
+
+  it("falls back to GH_TOKEN during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+    const resolveApiKey = vi.fn(async ({ envVar }: { envVar?: string }) =>
+      envVar === "GH_TOKEN"
+        ? {
+            key: "ghu_from_gh_token",
+            source: "env" as const,
+            envVarName: "GH_TOKEN",
+          }
+        : null,
+    );
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {},
+      runtime,
+      agentDir,
+      resolveApiKey,
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(resolveApiKey).toHaveBeenCalledWith(
+      expect.objectContaining({ envVar: "COPILOT_GITHUB_TOKEN" }),
+    );
+    expect(resolveApiKey).toHaveBeenCalledWith(expect.objectContaining({ envVar: "GH_TOKEN" }));
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      token: "ghu_from_gh_token",
+    });
+  });
+
+  it("preserves an existing primary model during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {
+        agents: {
+          defaults: {
+            model: {
+              primary: "github-copilot/gpt-5.4",
+              fallbacks: ["openai/gpt-5.4"],
+            },
+            models: {
+              "github-copilot/gpt-5.4": { label: "Existing" },
+            },
+          },
+        },
+      },
+      baseConfig: {},
+      opts: { githubCopilotToken: "ghu_test" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_test",
+        source: "flag" as const,
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.agents?.defaults?.model).toEqual({
+      primary: "github-copilot/gpt-5.4",
+      fallbacks: ["openai/gpt-5.4"],
+    });
+    expect(result?.agents?.defaults?.models).toEqual({
+      "github-copilot/gpt-5.4": { label: "Existing" },
+    });
+  });
+
+  it("reuses an existing token profile during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+    await fs.writeFile(
+      path.join(agentDir, "auth-profiles.json"),
+      JSON.stringify({
+        version: 1,
+        profiles: {
+          "github-copilot:github": {
+            type: "token",
+            provider: "github-copilot",
+            token: "existing-token",
+          },
+        },
+      }),
+    );
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {},
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => null),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+  });
+
+  it("does not emit a second missing-token error after ref-mode flag validation fails", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {
+        githubCopilotToken: "ghu_secret",
+        secretInputMode: "ref",
+      },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => null),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(result).toBeNull();
+    expect(runtime.error).toHaveBeenCalledTimes(1);
+    expect(runtime.error).toHaveBeenCalledWith(
+      [
+        "--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
+        "Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
+      ].join("\n"),
+    );
+  });
 });
--- a/extensions/github-copilot/index.ts
+++ b/extensions/github-copilot/index.ts
@@ -1,6 +1,18 @@
 import { resolvePluginConfigObject, type OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
-import { definePluginEntry, type ProviderAuthContext } from "openclaw/plugin-sdk/plugin-entry";
-import { ensureAuthProfileStore } from "openclaw/plugin-sdk/provider-auth";
+import {
+  definePluginEntry,
+  type ProviderAuthContext,
+  type ProviderAuthMethodNonInteractiveContext,
+} from "openclaw/plugin-sdk/plugin-entry";
+import {
+  applyAuthProfileConfig,
+  coerceSecretRef,
+  ensureAuthProfileStore,
+  listProfilesForProvider,
+  normalizeOptionalSecretInput,
+  resolveDefaultSecretProviderAlias,
+  upsertAuthProfileWithLock,
+} from "openclaw/plugin-sdk/provider-auth";
 import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
 import { resolveFirstGithubToken } from "./auth.js";
 import { githubCopilotMemoryEmbeddingProviderAdapter } from "./embeddings.js";
@@ -9,6 +21,8 @@ import { buildGithubCopilotReplayPolicy } from "./replay-policy.js";
 import { wrapCopilotProviderStream } from "./stream.js";

 const COPILOT_ENV_VARS = ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
+const DEFAULT_COPILOT_MODEL = "github-copilot/claude-opus-4.7";
+const DEFAULT_COPILOT_PROFILE_ID = "github-copilot:github";
 const COPILOT_XHIGH_MODEL_IDS = ["gpt-5.4", "gpt-5.3-codex", "gpt-5.2", "gpt-5.2-codex"] as const;

 type GithubCopilotPluginConfig = {
@@ -20,6 +34,187 @@ type GithubCopilotPluginConfig = {
 async function loadGithubCopilotRuntime() {
  return await import("./register.runtime.js");
 }
+
+function applyCopilotDefaultModel(cfg: OpenClawConfig): OpenClawConfig {
+  const defaults = cfg.agents?.defaults;
+  const existingModel = defaults?.model;
+  const existingPrimary =
+    typeof existingModel === "string"
+      ? existingModel.trim()
+      : typeof existingModel === "object" && typeof existingModel?.primary === "string"
+        ? existingModel.primary.trim()
+        : "";
+  if (existingPrimary) {
+    return cfg;
+  }
+  const fallbacks =
+    typeof existingModel === "object" && existingModel !== null && "fallbacks" in existingModel
+      ? (existingModel as { fallbacks?: string[] }).fallbacks
+      : undefined;
+  return {
+    ...cfg,
+    agents: {
+      ...cfg.agents,
+      defaults: {
+        ...defaults,
+        model: {
+          ...(fallbacks ? { fallbacks } : undefined),
+          primary: DEFAULT_COPILOT_MODEL,
+        },
+        models: {
+          ...defaults?.models,
+          [DEFAULT_COPILOT_MODEL]: defaults?.models?.[DEFAULT_COPILOT_MODEL] ?? {},
+        },
+      },
+    },
+  };
+}
+
+function resolveExistingCopilotTokenProfileId(agentDir?: string): string | undefined {
+  const authStore = ensureAuthProfileStore(agentDir, {
+    allowKeychainPrompt: false,
+  });
+  return listProfilesForProvider(authStore, PROVIDER_ID).find((profileId) => {
+    const profile = authStore.profiles[profileId];
+    if (profile?.type !== "token") {
+      return false;
+    }
+    return Boolean(
+      normalizeOptionalSecretInput(profile.token) || coerceSecretRef(profile.tokenRef)?.id.trim(),
+    );
+  });
+}
+
+async function resolveCopilotNonInteractiveToken(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+  flagValue: string | undefined,
+) {
+  const resolveFromEnvChain = async () => {
+    for (const envVar of COPILOT_ENV_VARS) {
+      const resolved = await ctx.resolveApiKey({
+        provider: PROVIDER_ID,
+        flagName: "--github-copilot-token",
+        envVar,
+        envVarName: envVar,
+        allowProfile: false,
+        required: false,
+      });
+      if (resolved) {
+        return resolved;
+      }
+    }
+    return null;
+  };
+
+  if (ctx.opts.secretInputMode === "ref") {
+    const resolved = await resolveFromEnvChain();
+    if (resolved) {
+      return resolved;
+    }
+    if (flagValue) {
+      ctx.runtime.error(
+        [
+          "--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
+          "Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
+        ].join("\n"),
+      );
+      ctx.runtime.exit(1);
+    }
+    return null;
+  }
+
+  const primary = await ctx.resolveApiKey({
+    provider: PROVIDER_ID,
+    flagValue,
+    flagName: "--github-copilot-token",
+    envVar: COPILOT_ENV_VARS[0],
+    envVarName: COPILOT_ENV_VARS[0],
+    allowProfile: false,
+    required: false,
+  });
+  if (primary || flagValue) {
+    return primary;
+  }
+
+  for (const envVar of COPILOT_ENV_VARS.slice(1)) {
+    const resolved = await ctx.resolveApiKey({
+      provider: PROVIDER_ID,
+      flagName: "--github-copilot-token",
+      envVar,
+      envVarName: envVar,
+      allowProfile: false,
+      required: false,
+    });
+    if (resolved) {
+      return resolved;
+    }
+  }
+  return null;
+}
+
+async function runGitHubCopilotNonInteractiveAuth(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+): Promise<OpenClawConfig | null> {
+  const opts = ctx.opts as Record<string, unknown> | undefined;
+  const flagValue = normalizeOptionalSecretInput(opts?.githubCopilotToken);
+  const resolved = await resolveCopilotNonInteractiveToken(ctx, flagValue);
+
+  let profileId = DEFAULT_COPILOT_PROFILE_ID;
+  if (resolved) {
+    const useTokenRef = ctx.opts.secretInputMode === "ref" && resolved.source === "env";
+    if (useTokenRef && !resolved.envVarName) {
+      ctx.runtime.error(
+        [
+          '--secret-input-mode ref requires an explicit environment variable for provider "github-copilot".',
+          "Set COPILOT_GITHUB_TOKEN in env and retry, or use --secret-input-mode plaintext.",
+        ].join("\n"),
+      );
+      ctx.runtime.exit(1);
+      return null;
+    }
+    await upsertAuthProfileWithLock({
+      profileId,
+      credential: {
+        type: "token",
+        provider: PROVIDER_ID,
+        ...(useTokenRef
+          ? {
+              tokenRef: {
+                source: "env",
+                provider: resolveDefaultSecretProviderAlias(ctx.baseConfig, "env", {
+                  preferFirstProviderForSource: true,
+                }),
+                id: resolved.envVarName!,
+              },
+            }
+          : { token: resolved.key }),
+      },
+      agentDir: ctx.agentDir,
+    });
+  } else {
+    if (flagValue && ctx.opts.secretInputMode === "ref") {
+      return null;
+    }
+    const existingProfileId = resolveExistingCopilotTokenProfileId(ctx.agentDir);
+    if (!existingProfileId) {
+      ctx.runtime.error(
+        "Missing --github-copilot-token (or COPILOT_GITHUB_TOKEN / GH_TOKEN / GITHUB_TOKEN env var) for --auth-choice github-copilot.",
+      );
+      ctx.runtime.exit(1);
+      return null;
+    }
+    profileId = existingProfileId;
+  }
+
+  return applyCopilotDefaultModel(
+    applyAuthProfileConfig(ctx.config, {
+      profileId,
+      provider: PROVIDER_ID,
+      mode: "token",
+    }),
+  );
+}
+
 export default definePluginEntry({
  id: "github-copilot",
  name: "GitHub Copilot Provider",
@@ -74,11 +269,11 @@ export default definePluginEntry({
      return {
        profiles: [
          {
-            profileId: "github-copilot:github",
+            profileId: DEFAULT_COPILOT_PROFILE_ID,
            credential,
          },
        ],
-        defaultModel: "github-copilot/claude-opus-4.7",
+        defaultModel: DEFAULT_COPILOT_MODEL,
      };
    }

@@ -96,6 +291,7 @@ export default definePluginEntry({
          hint: "Browser device-code flow",
          kind: "device_code",
          run: async (ctx) => await runGitHubCopilotAuth(ctx),
+          runNonInteractive: async (ctx) => await runGitHubCopilotNonInteractiveAuth(ctx),
        },
      ],
      wizard: {
--- a/extensions/github-copilot/openclaw.plugin.json
+++ b/extensions/github-copilot/openclaw.plugin.json
@@ -17,7 +17,11 @@
      "choiceHint": "Device login with your GitHub account",
      "groupId": "copilot",
      "groupLabel": "Copilot",
-      "groupHint": "GitHub + local proxy"
+      "groupHint": "GitHub + local proxy",
+      "optionKey": "githubCopilotToken",
+      "cliFlag": "--github-copilot-token",
+      "cliOption": "--github-copilot-token <token>",
+      "cliDescription": "GitHub Copilot OAuth token"
    }
  ],
  "configSchema": {