Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Documentation: GHE support #31701

Closed
github/gh-aw-firewall
#3094
Closed
Documentation: GHE support#31701
github/gh-aw-firewall
#3094
Labels
ai-inspectedcommunity
@NicolasRannou

Description

@NicolasRannou
NicolasRannou
opened on May 12, 2026

Hello,

Does GH AW support GHE? I'm trying to set it up but I am experimenting a few issues and it is unclear for me, as gh-aw is new, if that's something I should fix on my side or whether it's just not supported yet:

Error:

Error: No authentication information found.

Copilot can be authenticated with GitHub using an OAuth Token or a Fine-Grained Personal Access Token.

More details: The execute github copilot cli fails as it can not access secrets for some reason:

[WARN] ⚠️  Using --env-all: All host environment variables will be passed to container
[WARN]    This may expose sensitive credentials if logs or configs are shared
[WARN] ⚠️  Host access enabled with host.docker.internal in allowed domains
[WARN]    Containers can access ANY service running on the host machine
[WARN]    Only use this for trusted workloads (e.g., MCP gateways)
[INFO] API proxy enabled: OpenAI=false, Anthropic=false, Copilot=true
[INFO] Allowed domains: api.business.githubcopilot.com, api.enterprise.githubcopilot.com, api.github.com, api.githubcopilot.com, api.individual.githubcopilot.com, api.snapcraft.io, archive.ubuntu.com, azure.archive.ubuntu.com, crl.geotrust.com, crl.globalsign.com, crl.identrust.com, crl.sectigo.com, crl.thawte.com, crl.usertrust.com, crl.verisign.com, crl3.digicert.com, crl4.digicert.com, crls.ssl.com, github.com, host.docker.internal, json-schema.org, json.schemastore.org, keyserver.ubuntu.com, ocsp.digicert.com, ocsp.geotrust.com, ocsp.globalsign.com, ocsp.identrust.com, ocsp.sectigo.com, ocsp.ssl.com, ocsp.thawte.com, ocsp.usertrust.com, ocsp.verisign.com, packagecloud.io, packages.cloud.google.com, packages.microsoft.com, ppa.launchpad.net, raw.githubusercontent.com, registry.npmjs.org, s.symcb.com, s.symcd.com, security.ubuntu.com, telemetry.enterprise.githubcopilot.com, ts-crl.ws.symantec.com, ts-ocsp.ws.symantec.com, straumann.ghe.com, api.straumann.ghe.com
[INFO] Setting up host-level firewall network and iptables rules...
[SUCCESS] Created network 'awf-net' with bridge 'fw-bridge'
[INFO] Setting up host-level iptables rules...
[SUCCESS] Host-level iptables rules configured successfully
[INFO] Generating configuration files...
[INFO] API proxy sidecar enabled - API keys will be held securely in sidecar container
[INFO] API proxy will route through Squid to respect domain whitelisting
[INFO] Starting containers...
 Container awf-squid  Creating
 Container awf-api-proxy  Creating
 Container awf-api-proxy  Created
 Container awf-squid  Created
 Container awf-agent  Creating
 Container awf-agent  Created
 Container awf-iptables-init  Creating
 Container awf-iptables-init  Created
 Container awf-api-proxy  Starting
 Container awf-squid  Starting
 Container awf-api-proxy  Started
 Container awf-squid  Started
 Container awf-api-proxy  Waiting
 Container awf-squid  Waiting
 Container awf-api-proxy  Healthy
 Container awf-squid  Healthy
 Container awf-agent  Starting
 Container awf-agent  Started
 Container awf-agent  Waiting
 Container awf-agent  Healthy
 Container awf-iptables-init  Starting
 Container awf-iptables-init  Started
[SUCCESS] Containers started successfully
[INFO] Executing agent command...
[entrypoint] Agentic Workflow Firewall - Agent Container
[entrypoint] ==================================
[entrypoint] Adjusting awfuser UID:GID from 1000:1000 to 1001:1001
[entrypoint] UID/GID adjustment complete
[entrypoint] Configuring DNS...
[entrypoint] DNS configured with Docker embedded DNS (127.0.0.11) only
[entrypoint] Waiting for iptables initialization from init container...
[entrypoint] iptables initialization complete
[health-check] API Proxy Pre-flight Check
[health-check] ==========================================
[health-check] Checking GitHub Copilot API proxy configuration...
[health-check] COPILOT_API_URL=http://172.30.0.30:10002/
[health-check] ✓ COPILOT_GITHUB_TOKEN is placeholder value (correct)
[health-check] ✓ COPILOT_TOKEN is placeholder value (correct)
[health-check] Testing connectivity to GitHub Copilot API proxy at http://172.30.0.30:10002.../
[health-check] ✓ GitHub Copilot API proxy is reachable at http://172.30.0.30:10002/
[health-check] ==========================================
[health-check] ✓ All API proxy health checks passed
[health-check] ✓ Credential isolation verified
[health-check] ✓ Connectivity established
[health-check] ==========================================
[entrypoint] Pre-seeding JVM build tool proxy configuration (squid-proxy:3128)...
[entrypoint] ✓ Created Maven proxy config (/host/home/runner/.m2/settings.xml)
[entrypoint] ✓ Created Gradle proxy config (/host/home/runner/.gradle/gradle.properties)
[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy and nonProxyHosts flags
[entrypoint] Proxy configuration:
[entrypoint]   HTTP_PROXY=http://172.30.0.10:3128/
[entrypoint]   HTTPS_PROXY=http://172.30.0.10:3128/
[entrypoint] Network information:
[entrypoint]   IP address: 172.30.0.20 
[entrypoint]   Hostname: ce4ac349ad8b
[entrypoint] ==================================
[entrypoint] Chroot mode enabled - dropping CAP_SYS_CHROOT and CAP_SYS_ADMIN
[entrypoint] Switching to awfuser (UID: 1001, GID: 1001)
[entrypoint] Executing command: /bin/bash -c /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"'

[entrypoint] Chroot mode: running command inside host filesystem (/host)
[entrypoint] Mounted procfs at /host/proc (nosuid,nodev,noexec)
[entrypoint] One-shot token library copied to chroot at /tmp/awf-lib/one-shot-token.so
[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)
[entrypoint] Chroot working directory: /home/runner/work/my_repo/my_repo
[entrypoint] Running as host user: runner (UID: 1001)
[entrypoint] Using host PATH for chroot
[entrypoint] Adding JAVA_HOME/bin to PATH: /usr/lib/jvm/temurin-17-jdk-amd64/bin
[entrypoint] DNS configuration will be removed on exit
Error: No authentication information found.

Copilot can be authenticated with GitHub using an OAuth Token or a Fine-Grained Personal Access Token.

To authenticate, you can use any of the following methods:
  • Start 'copilot' and run the '/login' command
  • Set the COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN environment variable
  • Run 'gh auth login' to authenticate with the GitHub CLI
[entrypoint] Unsetting sensitive tokens from parent shell environment...
[entrypoint] Unset COPILOT_GITHUB_TOKEN from /proc/1/environ

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-inspectedcommunity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions