Migrate Copilot engine from COPILOT_CLI_TOKEN to COPILOT_GITHUB_TOKEN with backward compatibility

[Copilot]

Update Copilot Token Environment Variable Name

This PR updates the Copilot agentic engine to use COPILOT_GITHUB_TOKEN instead of COPILOT_CLI_TOKEN while maintaining backward compatibility.

Recent Changes

• Merge main: Merged latest changes from main branch, resolved conflicts
• Test fix: Updated test to verify COPILOT_GITHUB_TOKEN environment variable name (instead of GITHUB_TOKEN)
• Environment variable naming: Changed from GITHUB_TOKEN to COPILOT_GITHUB_TOKEN for explicit clarity about token purpose
• Code organization: Assigned copilotGitHubToken variable in copilot_engine.go for better code maintainability
• Documentation: Updated instruction files to use COPILOT_GITHUB_TOKEN consistently

Core Implementation

• Secret validation: Multi-secret validation accepts either COPILOT_GITHUB_TOKEN or COPILOT_CLI_TOKEN
• Environment variable: COPILOT_GITHUB_TOKEN (not GITHUB_TOKEN) uses fallback expression ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.COPILOT_CLI_TOKEN }}
• Trial command: Primary secret name changed to COPILOT_GITHUB_TOKEN with legacy support

Backward Compatibility

• Existing workflows with COPILOT_CLI_TOKEN continue to work without modification
• Fallback expression prioritizes new name, falls back to legacy name
• No breaking changes for existing users

Verification

• ✅ All unit tests pass
• ✅ All 66 workflows compile successfully (after merge)
• ✅ make agent-finish completes with 0 errors
• ✅ Environment variable explicitly named COPILOT_GITHUB_TOKEN instead of generic GITHUB_TOKEN
• ✅ Successfully merged with main branch

Original prompt

Update copilot agentic engine to pass the copilot cli token through the "COPILOT_GITHUB_TOKEN" environment variable.

• replace COPILOT_CLI_TOKEN with COPILOT_GITHUB_TOKEN
• maintain backward compatibility by adding fallback to secrets.COPILOT_CLI_TOKEN
• update all occurrences of COPILOT_CLI_TOKEN

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot Use COPILOT_GITHUB_TOKEN as it takes precedence

[Copilot]

Updated to use COPILOT_GITHUB_TOKEN without fallback in the example. (f7eee63)

[pelikhan]

@copilot assign COPILOT_GITHUB_TOKEN var name

[Copilot]

Assigned to copilotGitHubToken variable for cleaner code organization. (f7eee63)

[pelikhan]

@copilot revert previous commit. The variable to store the secret should be COPILOT_GITHUB_TOKEN instead of GITHUB_TOKEN. Keep the backward compatible fallback to COPILOT_CLI_TOKEN

[Copilot]

@copilot revert previous commit. The variable to store the secret should be COPILOT_GITHUB_TOKEN instead of GITHUB_TOKEN. Keep the backward compatible fallback to COPILOT_CLI_TOKEN

Changed the environment variable name from GITHUB_TOKEN to COPILOT_GITHUB_TOKEN while keeping the backward compatible fallback expression ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.COPILOT_CLI_TOKEN }}. (f951db5)

[pelikhan]

@copilot fix tests

[Copilot]

@copilot fix tests

Fixed test to check for COPILOT_GITHUB_TOKEN environment variable name instead of GITHUB_TOKEN. All tests now pass. (4a2a36f)

[Copilot]

Pull Request Overview

This PR renames the Copilot engine secret from COPILOT_CLI_TOKEN to COPILOT_GITHUB_TOKEN across the codebase while maintaining backward compatibility with the legacy name. The change updates documentation, test expectations, workflow files, and CLI code to support both secret names with a fallback mechanism.

Key changes:

• Renamed primary secret from COPILOT_CLI_TOKEN to COPILOT_GITHUB_TOKEN
• Added fallback support for legacy COPILOT_CLI_TOKEN name
• Updated all documentation and instructional files
• Modified secret validation logic to check for either secret

Reviewed Changes

Copilot reviewed 53 out of 53 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/copilot_engine.go	Changed to use GenerateMultiSecretValidationStep with both secret names and updated environment variable to COPILOT_GITHUB_TOKEN with fallback
pkg/workflow/copilot_engine_test.go	Updated test expectations to check for new secret name with fallback syntax
pkg/workflow/secret_validation_test.go	Modified tests to validate both new and legacy secret names
pkg/workflow/redact_secrets_test.go	Updated test expectations to include both secret names in collection and validation
pkg/cli/trial_command.go	Changed secret name handling to use COPILOT_GITHUB_TOKEN while maintaining legacy support
docs/*.md	Updated all documentation to reference new secret name with backward compatibility notes
.github/workflows/*.lock.yml	Regenerated workflow files with new secret validation and environment variable setup
.github/instructions/*.md	Updated instruction files to reference new secret name

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke Test Failure Investigation

The Smoke OpenCode workflow failed on this PR due to a jq JSON parsing error when trying to configure OpenCode with MCP servers. The workflow attempted to transform the MCP configuration from gh-aw format to OpenCode format but encountered malformed JSON.

Full Investigation Report - Run #84

Failure Details

• Run: §19072988171
• Commit: 4a2a36f
• Branch: copilot/update-copilot-cli-token
• Trigger: pull_request
• Duration: 1.2m
• Failed Job: agent (45s)

Root Cause Analysis

Primary Error

jq: parse error: Invalid numeric literal at line 1, column 13
##[error]Process completed with exit code 5.

What Happened:

1. The OpenCode smoke test workflow runs a bash script to configure OpenCode with MCP servers
2. This script reads the gh-aw MCP configuration file (/tmp/gh-aw/mcp-config/mcp-servers.json)
3. It uses jq to transform the configuration from gh-aw format to OpenCode format
4. The jq parser failed with "Invalid numeric literal at line 1, column 13"
5. This indicates the MCP configuration file contains malformed JSON

Root Cause:
The MCP configuration file generated during the activation phase contains invalid JSON syntax. Specifically, there's an invalid numeric literal near the beginning of the file (position 13), which suggests:

• Possible incomplete JSON generation
• Incorrect escaping or quoting
• Malformed number formatting
• Empty or partially written configuration

Failed Jobs and Errors

Job Sequence:

1. ✅ pre_activation - succeeded (6s)
2. ✅ activation - succeeded (8s)
3. ❌ agent - failed (45s) - Failed during OpenCode MCP setup
4. ⏭️ detection - skipped
5. ⏭️ create_issue - skipped
6. ⏭️ missing_tool - skipped

Error Location:
The failure occurred in the "Run OpenCode agent with prompt" step when executing the MCP configuration transformation script. The script found the MCP configuration file but couldn't parse it with jq.

Investigation Findings

Context of This PR

This PR is titled "Fix test to check for COPILOT_GITHUB_TOKEN instead of GITHUB_TOKEN" and updates a test in copilot_engine_test.go. The changes are related to the Copilot engine configuration, specifically renaming the environment variable from GITHUB_TOKEN to COPILOT_GITHUB_TOKEN.

Why This Might Have Failed:
While this PR itself doesn't directly modify MCP configuration generation, it's on the copilot/update-copilot-cli-token branch which may have other changes affecting MCP setup. The OpenCode smoke test uses a shared MCP configuration system, and changes to environment variable handling could potentially affect how MCP configurations are generated.

Similar Historical Patterns

I searched the investigation cache and found related MCP configuration issues:

• COPILOT_INVALID_MCP_CONFIG_SCHEMA: MCP configs with invalid schema causing validation errors
• COPILOT_SAFE_OUTPUTS_MALFORMED_CONFIG: JSON escaping issues in MCP environment variables

However, this specific pattern (jq parse error for OpenCode MCP setup) has not been seen before in the investigation history.

Recommended Actions

Immediate Investigation Needed

• Examine the MCP configuration file

  • The file should be at /tmp/gh-aw/mcp-config/mcp-servers.json
  • Check if it exists and contains valid JSON
  • Look for issues around character position 13

• Check MCP configuration generation

  • Review the activation job logs to see how the MCP config was created
  • Verify the configuration generation code handles environment variables correctly
  • Ensure JSON is properly formatted before writing to file

• Test locally

  # Reproduce the issue:
  # 1. Generate MCP config as the workflow does
  # 2. Try to parse with jq
  cat /path/to/mcp-servers.json | jq .

Fix Options

Option 1: Add MCP Configuration Validation

- name: Validate MCP Config
  run: |
    if [ -f "$GH_AW_MCP_CONFIG" ]; then
      echo "Validating MCP configuration..."
      jq empty "$GH_AW_MCP_CONFIG" || {
        echo "::error::Invalid JSON in MCP configuration"
        cat "$GH_AW_MCP_CONFIG"
        exit 1
      }
    fi

Option 2: Add Error Handling in OpenCode Setup Script

# Before the jq transformation, validate the input
if ! jq empty "$GH_AW_MCP_CONFIG" 2>/dev/null; then
  echo "::error::Invalid MCP configuration JSON"
  echo "File contents:"
  cat "$GH_AW_MCP_CONFIG"
  exit 1
fi

Option 3: Investigate Environment Variable Changes

• Review changes on the copilot/update-copilot-cli-token branch
• Check if token renaming affects MCP configuration generation
• Verify all environment variables are properly set during activation

Prevention Strategies

1. Pre-flight JSON Validation

   • Validate all generated JSON files before using them
   • Use jq empty to verify JSON syntax
   • Fail fast with clear error messages

2. Better Error Context

   • When jq fails, show the actual file contents
   • Display file size and structure
   • Include line/column numbers in error messages

3. Integration Testing

   • Add tests that verify MCP configuration generation
   • Test OpenCode MCP setup with various configurations
   • Validate JSON parsing across all smoke test workflows

4. Defensive Coding

   • Check if files exist before reading them
   • Handle empty or malformed configurations gracefully
   • Add try-catch around JSON parsing operations

Technical Details

Error Context

• Error Type: JSON Parse Error
• Tool: jq (command-line JSON processor)
• Error Code: 5 (jq exits with code 5 for parse errors)
• Position: Line 1, column 13
• Input File: /tmp/gh-aw/mcp-config/mcp-servers.json

Workflow Configuration

• Engine: Custom Steps (OpenCode)
• MCP Config Path: /tmp/gh-aw/mcp-config/mcp-servers.json
• Transformation: gh-aw format → OpenCode format
• Target Config: ~/.config/opencode/opencode.json

Environment

• Runner: ubuntu-24.04
• jq Version: Available on GitHub Actions runners
• OpenCode Config: Uses JSON schema from (redacted)

Next Steps

1. Re-run the workflow to see if this is a transient issue
2. Examine the MCP configuration file from the failed run (if available in artifacts)
3. Review recent changes on the copilot/update-copilot-cli-token branch that might affect MCP setup
4. Add validation to catch malformed JSON before attempting jq transformation
5. Create a new issue to track OpenCode MCP configuration robustness improvements

---

References:

• §19072988171

---

AI generated by Smoke Detector - Smoke Test Failure Investigator

AI generated by Smoke Detector - Smoke Test Failure Investigator

[pelikhan]

@copilot merge main

[Copilot]

@copilot merge main

Merged main branch into PR. Resolved conflict with smoke-copilot.firewall.lock.yml (deleted in main). All tests pass and workflows compile successfully. (0cec660)