feat: spec-driven engine.env allowlist via GetSupportedEnvVarKeys; remove strict: false from smoke workflows by Copilot · Pull Request #41465 · github/gh-aw

Copilot · 2026-06-25T14:14:29Z

The engine.env secret allowlist in strict-mode validation was derived dynamically by calling GetRequiredSecretNames with a minimal WorkflowData, which is fragile and conflates "runtime-required secrets" with "spec-supported env var keys". Smoke workflows had strict: false as a workaround that's no longer needed.

New interface method: `GetSupportedEnvVarKeys() []string`

Added to SecurityProvider; replaces the GetRequiredSecretNames(minimalData) hack in getEngineBaseEnvVarKeys(). Each engine now declares its static, spec-driven allowlist independently of runtime secret resolution:

// Before: heuristic — depended on GetRequiredSecretNames with empty WorkflowData
func (e *CopilotEngine) GetRequiredSecretNames(workflowData *WorkflowData) []string { ... }

// After: explicit static allowlist used only for strict-mode env validation
func (e *CopilotEngine) GetSupportedEnvVarKeys() []string {
    return []string{
        "COPILOT_GITHUB_TOKEN",
        constants.CopilotProviderBaseURL,
        constants.CopilotProviderAPIKey,
        constants.CopilotProviderBearerToken,
        constants.CopilotProviderWireAPI, // new constant
    }
}

BaseEngine provides a default returning []string{}. All engines implement it: Claude (ANTHROPIC_API_KEY), Codex (CODEX_API_KEY, OPENAI_API_KEY), Gemini (GEMINI_API_KEY), Antigravity (ANTIGRAVITY_API_KEY), and the universal engines (OpenCode, Crush, Pi) with their full multi-provider key sets.

Constant addition

CopilotProviderWireAPI = "COPILOT_PROVIDER_WIRE_API" added to engine_constants.go — used in smoke workflows but was missing from the spec.

Smoke workflow cleanup

Removed strict: false from all 6 smoke workflows (smoke-claude, smoke-codex, smoke-copilot, smoke-copilot-aoai-apikey, smoke-copilot-aoai-entra, smoke-copilot-arm). All 251 workflows recompile cleanly under strict mode.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

…ove strict: false from smoke workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-06-25T14:17:25Z

+// all BYOK provider variables that may carry secret values.
+func (e *CopilotEngine) GetSupportedEnvVarKeys() []string {
+	return []string{
+		"COPILOT_GITHUB_TOKEN",


@copilot create constant

Done — added constants.CopilotGitHubToken = "COPILOT_GITHUB_TOKEN" to pkg/constants/engine_constants.go and updated GetSupportedEnvVarKeys (and the EngineOptions table) to use it. Commit: feat: extract API key string literals into named constants

pelikhan · 2026-06-25T14:17:36Z

+// supports as defined in the AWF specification.
+func (e *CodexEngine) GetSupportedEnvVarKeys() []string {
+	return []string{
+		"CODEX_API_KEY",


@copilot create constant

Done — added constants.CodexAPIKey = "CODEX_API_KEY" and constants.OpenAIAPIKey = "OPENAI_API_KEY" to pkg/constants/engine_constants.go and updated GetSupportedEnvVarKeys (and the EngineOptions table) to use them.

pelikhan · 2026-06-25T14:17:48Z

+// supports as defined in the AWF specification.
+func (e *ClaudeEngine) GetSupportedEnvVarKeys() []string {
+	return []string{
+		"ANTHROPIC_API_KEY",


@copilot create constant

Done — added constants.AnthropicAPIKey = "ANTHROPIC_API_KEY" to pkg/constants/engine_constants.go and updated GetSupportedEnvVarKeys (and the EngineOptions table) to use it.

Add CopilotGitHubToken, AnthropicAPIKey, CodexAPIKey, OpenAIAPIKey, GeminiAPIKey, and AntigravityAPIKey constants to engine_constants.go. Replace string literals in copilot_engine.go, claude_engine.go, codex_engine.go, and the EngineOptions table in engine_constants.go. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-06-25T14:38:52Z

@copilot merge main and recompile

Copilot

Pull request overview

This PR makes strict-mode engine.env secret allowlisting spec-driven by introducing SecurityProvider.GetSupportedEnvVarKeys() (instead of deriving an allowlist from GetRequiredSecretNames with minimal workflow data), and then removes strict: false workarounds from the smoke workflows now that strict mode validates cleanly.

Changes:

Added GetSupportedEnvVarKeys() []string to SecurityProvider (with a BaseEngine default) and implemented it across all engines; strict-mode env secret validation now uses this method.
Centralized primary engine secret names into constants and added CopilotProviderWireAPI to the Copilot BYOK env var constants.
Removed strict: false from smoke workflows and regenerated their .lock.yml outputs with strict enabled.

Show a summary per file

File	Description
pkg/workflow/strict_mode_env_validation.go	Switch env-secret allowlist source to engine-declared supported env var keys.
pkg/workflow/agentic_engine.go	Extend `SecurityProvider` with `GetSupportedEnvVarKeys` and add a `BaseEngine` default.
pkg/workflow/copilot_engine.go	Implement Copilot supported env var keys (including BYOK vars).
pkg/workflow/claude_engine.go	Implement Claude supported env var keys.
pkg/workflow/codex_engine.go	Implement Codex supported env var keys.
pkg/workflow/gemini_engine.go	Implement Gemini supported env var keys.
pkg/workflow/antigravity_engine.go	Implement Antigravity supported env var keys.
pkg/workflow/opencode_engine.go	Implement OpenCode supported env var keys.
pkg/workflow/crush_engine.go	Implement Crush supported env var keys.
pkg/workflow/pi_engine.go	Implement Pi supported env var keys.
pkg/constants/engine_constants.go	Add/export canonical secret-name constants; add `CopilotProviderWireAPI`.
.github/workflows/smoke-claude.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-claude.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.
.github/workflows/smoke-codex.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-codex.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.
.github/workflows/smoke-copilot.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-copilot.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.
.github/workflows/smoke-copilot-arm.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-copilot-arm.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.
.github/workflows/smoke-copilot-aoai-apikey.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-copilot-aoai-apikey.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.
.github/workflows/smoke-copilot-aoai-entra.md	Remove `strict: false` from smoke workflow frontmatter.
.github/workflows/smoke-copilot-aoai-entra.lock.yml	Regenerate compiled workflow with strict enabled metadata/env.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 23/23 changed files
Comments generated: 6

+	return []string{
+		"COPILOT_GITHUB_TOKEN",
+		"ANTHROPIC_API_KEY",
+		"CODEX_API_KEY",
+		"OPENAI_API_KEY",
+	}
+}


+	return []string{
+		"COPILOT_GITHUB_TOKEN",
+		"ANTHROPIC_API_KEY",
+		"CODEX_API_KEY",
+		"OPENAI_API_KEY",
+	}
+}


+	return []string{
+		"COPILOT_GITHUB_TOKEN",
+		"ANTHROPIC_API_KEY",
+		"CODEX_API_KEY",
+		"OPENAI_API_KEY",
+	}
+}


+func (e *CopilotEngine) GetSupportedEnvVarKeys() []string {
+	return []string{
+		constants.CopilotGitHubToken,
+		constants.CopilotProviderBaseURL,
+		constants.CopilotProviderAPIKey,


…-false-smoke-workflows # Conflicts: # .github/workflows/smoke-codex.lock.yml # .github/workflows/smoke-copilot-aoai-entra.lock.yml # .github/workflows/smoke-copilot.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-06-25T14:59:35Z

@copilot merge main and recompile

Done — merged main and recompiled all 251 workflows cleanly (0 errors). Commit: chore: merge main and recompile 251 workflows.

pelikhan · 2026-06-25T18:00:57Z

@copilot run pr-finisher skill

…es; add WIRE_API test Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-06-25T18:11:14Z

@copilot run pr-finisher skill

Done. Addressed all copilot-pull-request-reviewer threads: replaced raw string literals with named constants in GetSupportedEnvVarKeys for opencode, crush, pi, gemini, and antigravity engines, and added a COPILOT_PROVIDER_WIRE_API test case to env_secrets_validation_test.go. Commit: refactor: use named constants in GetSupportedEnvVarKeys for all engines; add WIRE_API test.

github-actions · 2026-06-25T18:25:48Z

``
@copilot review all comments.
Please take another look so this can move forward.

Generated by 👨‍🍳 PR Sous Chef · 69.6 AIC · ⌖ 0.989 AIC · ⊞ 17.1K · ◷

Copilot AI and others added 2 commits June 25, 2026 13:30

chore: plan for removing strict: false and updating engine.env algorithm

94ec11e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

feat: add GetSupportedEnvVarKeys(), update strict-mode allowlist, rem…

14aee84

…ove strict: false from smoke workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI assigned Copilot and pelikhan Jun 25, 2026

Copilot created this pull request from a session on behalf of pelikhan June 25, 2026 14:14 View session

pelikhan reviewed Jun 25, 2026

View reviewed changes

Copilot started work on behalf of pelikhan June 25, 2026 14:26 View session

Copilot finished work on behalf of pelikhan June 25, 2026 14:36

Copilot AI requested a review from pelikhan June 25, 2026 14:36

pelikhan marked this pull request as ready for review June 25, 2026 14:38

Copilot AI review requested due to automatic review settings June 25, 2026 14:38

Copilot started reviewing on behalf of pelikhan June 25, 2026 14:39 View session

Copilot AI reviewed Jun 25, 2026

View reviewed changes

Copilot started work on behalf of pelikhan June 25, 2026 14:48 View session

Copilot AI and others added 2 commits June 25, 2026 14:55

chore: merge main and recompile 251 workflows

d2d649b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan June 25, 2026 15:00

Copilot started work on behalf of pelikhan June 25, 2026 18:01 View session

refactor: use named constants in GetSupportedEnvVarKeys for all engin…

6c1be10

…es; add WIRE_API test Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan June 25, 2026 18:11

pelikhan merged commit 015cc6b into main Jun 25, 2026
29 checks passed

pelikhan deleted the copilot/remove-strict-false-smoke-workflows branch June 25, 2026 18:22

github-actions Bot mentioned this pull request Jun 26, 2026

Suggested test: copilot/engine-env-frontmatter githubnext/gh-aw-test#4074

Closed

Uh oh!

Conversation

Copilot AI commented Jun 25, 2026

New interface method: GetSupportedEnvVarKeys() []string

Constant addition

Smoke workflow cleanup

Uh oh!

pelikhan Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

pelikhan Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

pelikhan Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Jun 25, 2026

Choose a reason for hiding this comment

Uh oh!

pelikhan commented Jun 25, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Uh oh!

Uh oh!

Copilot AI commented Jun 25, 2026

Uh oh!

pelikhan commented Jun 25, 2026

Uh oh!

Copilot AI commented Jun 25, 2026

Uh oh!

Uh oh!

github-actions Bot commented Jun 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

New interface method: `GetSupportedEnvVarKeys() []string`