vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 17:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(onboard): support non-interactive GitHub Copilot token auth

Browse Source 
Add manifest-owned GitHub Copilot token support for non-interactive onboarding, including documented env fallback, ref-mode tokenRef storage, saved-profile reuse, and default model wiring that preserves existing primary model configuration.

Validation:
- pnpm test extensions/github-copilot/index.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/onboard-non-interactive/local/auth-choice-inference.test.ts
- pnpm check:changed
- CI green on aadac2c8d4
This commit is contained in:
Val Alexander
2026-04-26 22:56:20 -05:00
committed by GitHub
parent 18b76e3995
commit 461c10bb51
6 changed files with 498 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
extensions/github-copilot/index.ts
View File

@@ -1,6 +1,18 @@
import { resolvePluginConfigObject, type OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
import { definePluginEntry, type ProviderAuthContext } from "openclaw/plugin-sdk/plugin-entry";
import { ensureAuthProfileStore } from "openclaw/plugin-sdk/provider-auth";
import {
definePluginEntry,
type ProviderAuthContext,
type ProviderAuthMethodNonInteractiveContext,
} from "openclaw/plugin-sdk/plugin-entry";
import {
applyAuthProfileConfig,
coerceSecretRef,
ensureAuthProfileStore,
listProfilesForProvider,
normalizeOptionalSecretInput,
resolveDefaultSecretProviderAlias,
upsertAuthProfileWithLock,
} from "openclaw/plugin-sdk/provider-auth";
import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
import { resolveFirstGithubToken } from "./auth.js";
import { githubCopilotMemoryEmbeddingProviderAdapter } from "./embeddings.js";
@@ -9,6 +21,8 @@ import { buildGithubCopilotReplayPolicy } from "./replay-policy.js";
import { wrapCopilotProviderStream } from "./stream.js";
const COPILOT_ENV_VARS = ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
const DEFAULT_COPILOT_MODEL = "github-copilot/claude-opus-4.7";
const DEFAULT_COPILOT_PROFILE_ID = "github-copilot:github";
const COPILOT_XHIGH_MODEL_IDS = ["gpt-5.4", "gpt-5.3-codex", "gpt-5.2", "gpt-5.2-codex"] as const;
type GithubCopilotPluginConfig = {
@@ -20,6 +34,187 @@ type GithubCopilotPluginConfig = {
async function loadGithubCopilotRuntime() {
return await import("./register.runtime.js");
}
function applyCopilotDefaultModel(cfg: OpenClawConfig): OpenClawConfig {
const defaults = cfg.agents?.defaults;
const existingModel = defaults?.model;
const existingPrimary =
typeof existingModel === "string"
? existingModel.trim()
: typeof existingModel === "object" && typeof existingModel?.primary === "string"
? existingModel.primary.trim()
: "";
if (existingPrimary) {
return cfg;
}
const fallbacks =
typeof existingModel === "object" && existingModel !== null && "fallbacks" in existingModel
? (existingModel as { fallbacks?: string[] }).fallbacks
: undefined;
return {
...cfg,
agents: {
...cfg.agents,
defaults: {
...defaults,
model: {
...(fallbacks ? { fallbacks } : undefined),
primary: DEFAULT_COPILOT_MODEL,
},
models: {
...defaults?.models,
[DEFAULT_COPILOT_MODEL]: defaults?.models?.[DEFAULT_COPILOT_MODEL] ?? {},
},
},
},
};
}
function resolveExistingCopilotTokenProfileId(agentDir?: string): string | undefined {
const authStore = ensureAuthProfileStore(agentDir, {
allowKeychainPrompt: false,
});
return listProfilesForProvider(authStore, PROVIDER_ID).find((profileId) => {
const profile = authStore.profiles[profileId];
if (profile?.type !== "token") {
return false;
}
return Boolean(
normalizeOptionalSecretInput(profile.token) || coerceSecretRef(profile.tokenRef)?.id.trim(),
);
});
}
async function resolveCopilotNonInteractiveToken(
ctx: ProviderAuthMethodNonInteractiveContext,
flagValue: string | undefined,
) {
const resolveFromEnvChain = async () => {
for (const envVar of COPILOT_ENV_VARS) {
const resolved = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagName: "--github-copilot-token",
envVar,
envVarName: envVar,
allowProfile: false,
required: false,
});
if (resolved) {
return resolved;
}
}
return null;
};
if (ctx.opts.secretInputMode === "ref") {
const resolved = await resolveFromEnvChain();
if (resolved) {
return resolved;
}
if (flagValue) {
ctx.runtime.error(
[
"--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
"Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
].join("\n"),
);
ctx.runtime.exit(1);
}
return null;
}
const primary = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagValue,
flagName: "--github-copilot-token",
envVar: COPILOT_ENV_VARS[0],
envVarName: COPILOT_ENV_VARS[0],
allowProfile: false,
required: false,
});
if (primary || flagValue) {
return primary;
}
for (const envVar of COPILOT_ENV_VARS.slice(1)) {
const resolved = await ctx.resolveApiKey({
provider: PROVIDER_ID,
flagName: "--github-copilot-token",
envVar,
envVarName: envVar,
allowProfile: false,
required: false,
});
if (resolved) {
return resolved;
}
}
return null;
}
async function runGitHubCopilotNonInteractiveAuth(
ctx: ProviderAuthMethodNonInteractiveContext,
): Promise<OpenClawConfig | null> {
const opts = ctx.opts as Record<string, unknown> | undefined;
const flagValue = normalizeOptionalSecretInput(opts?.githubCopilotToken);
const resolved = await resolveCopilotNonInteractiveToken(ctx, flagValue);
let profileId = DEFAULT_COPILOT_PROFILE_ID;
if (resolved) {
const useTokenRef = ctx.opts.secretInputMode === "ref" && resolved.source === "env";
if (useTokenRef && !resolved.envVarName) {
ctx.runtime.error(
[
'--secret-input-mode ref requires an explicit environment variable for provider "github-copilot".',
"Set COPILOT_GITHUB_TOKEN in env and retry, or use --secret-input-mode plaintext.",
].join("\n"),
);
ctx.runtime.exit(1);
return null;
}
await upsertAuthProfileWithLock({
profileId,
credential: {
type: "token",
provider: PROVIDER_ID,
...(useTokenRef
? {
tokenRef: {
source: "env",
provider: resolveDefaultSecretProviderAlias(ctx.baseConfig, "env", {
preferFirstProviderForSource: true,
}),
id: resolved.envVarName!,
},
}
: { token: resolved.key }),
},
agentDir: ctx.agentDir,
});
} else {
if (flagValue && ctx.opts.secretInputMode === "ref") {
return null;
}
const existingProfileId = resolveExistingCopilotTokenProfileId(ctx.agentDir);
if (!existingProfileId) {
ctx.runtime.error(
"Missing --github-copilot-token (or COPILOT_GITHUB_TOKEN / GH_TOKEN / GITHUB_TOKEN env var) for --auth-choice github-copilot.",
);
ctx.runtime.exit(1);
return null;
}
profileId = existingProfileId;
}
return applyCopilotDefaultModel(
applyAuthProfileConfig(ctx.config, {
profileId,
provider: PROVIDER_ID,
mode: "token",
}),
);
}
export default definePluginEntry({
id: "github-copilot",
name: "GitHub Copilot Provider",
@@ -74,11 +269,11 @@ export default definePluginEntry({
return {
profiles: [
{
profileId: "github-copilot:github",
profileId: DEFAULT_COPILOT_PROFILE_ID,
credential,
},
],
defaultModel: "github-copilot/claude-opus-4.7",
defaultModel: DEFAULT_COPILOT_MODEL,
};
}
@@ -96,6 +291,7 @@ export default definePluginEntry({
hint: "Browser device-code flow",
kind: "device_code",
run: async (ctx) => await runGitHubCopilotAuth(ctx),
runNonInteractive: async (ctx) => await runGitHubCopilotNonInteractiveAuth(ctx),
},
],
wizard: {