Ensure Copilot proxy-auth template resolves for PR Sous Chef

[Copilot]

PR Sous Chef was completing its PR nudging work but still failing because the Copilot harness could not resolve the copilot_requests_proxy_auth_403.md diagnostic template at runtime. This change makes the 403 diagnostic path use the checked-in template via the standard runtime prompt lookup so scheduled runs keep the existing billing guidance without relying on an inline fallback.

• Copilot harness template resolution

  • remove the inline 403 fallback path
  • resolve the copilot_requests_proxy_auth_403.md diagnostic through getPromptPath(...)
  • ensure the existing checked-in markdown template is the source of the 403 copilot-requests guidance

• Failure-path hardening

  • restrict the change to the S2STOKENS + proxy HTTP 403 diagnostic branch
  • preserve the existing 401 and non-proxy auth behavior

• Focused regression coverage

  • add harness coverage for 403 template resolution through both GH_AW_PROMPTS_DIR and RUNNER_TEMP
  • verify the resolved prompt path is used with isolated temporary prompt directories

return renderTemplateFromFile(getPromptPath("copilot_requests_proxy_auth_403.md"), {
  selected_model: selectedModel,
  stage,
});

[github-actions]

Hey @Copilot 👋 — thanks for picking up the PR Sous Chef workflow engine failure! The scope is clear and the checklist is a solid plan of attack. Since this is still a WIP draft with no code changes yet, here's what's needed to get it across the finish line:

• Complete the implementation — the PR currently has 0 changed files. The root cause identification and the actual code/workflow fix (checklist items 2–3) are the critical next steps.
• Add tests — the checklist already calls this out. Once the fix is in, tests covering the engine failure scenario (and ideally the recovery path) should be included before marking this ready for review.

If you'd like a hand completing the remaining work, here's a prompt you can assign to your coding agent:

Continue fixing the PR Sous Chef workflow engine failure in github/gh-aw (PR #40623).
1. Inspect the failing workflow run logs and identify the root cause in the engine or workflow code.
2. Make the smallest targeted code or workflow change to prevent the failure from recurring.
3. Add or update focused tests covering the failure scenario and its fix.
4. Run targeted validation (unit tests, secret scan) and confirm no regressions.

Generated by ✅ Contribution Check · 163 AIC · ⌖ 8.26 AIC · ⊞ 5.9K · ◷

[pelikhan]

@copilot remove fallback and ensure that the template file exists and is properly resolved.

[Copilot]

@copilot remove fallback and ensure that the template file exists and is properly resolved.

Addressed in 9817f04.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ Test Quality Sentinel completed test quality analysis.

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #40623 does not have the 'implementation' label and has 0 new lines of code (≤100) in business logic directories.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[Copilot]

Pull request overview

This PR updates the Copilot harness’s gh-aw API proxy HTTP 403 + S2STOKENS diagnostic to load the checked-in copilot_requests_proxy_auth_403.md via the standard runtime prompt lookup (getPromptPath(...)) rather than relying on an inline fallback, and adds regression tests to validate prompt resolution via both GH_AW_PROMPTS_DIR and RUNNER_TEMP.

Changes:

• Switch the proxy 403 copilot-requests diagnostic from a hardcoded on-disk path to getPromptPath("copilot_requests_proxy_auth_403.md").
• Add focused harness tests to verify the 403 template resolves correctly from an explicit prompts dir and via the runtime ${RUNNER_TEMP}/gh-aw/prompts fallback.
• Introduce test helpers to temporarily override GH_AW_PROMPTS_DIR / RUNNER_TEMP and to stage a minimal prompts directory.

Show a summary per file

File	Description
actions/setup/js/copilot_harness.cjs	Uses getPromptPath(...) for the S2STOKENS + proxy HTTP 403 diagnostic template resolution.
actions/setup/js/copilot_harness.test.cjs	Adds regression coverage and helper utilities to validate prompt template resolution paths.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 3

[github-actions]

🧪 Test Quality Sentinel Report

✅ Test Quality Score: 90/100 — Excellent

Analyzed 4 test(s) in actions/setup/js/copilot_harness.test.cjs: 4 design, 0 implementation, 0 guideline violation(s).

📊 Metrics & Test Classification (4 tests analyzed)

Metric	Value
New/modified tests analyzed	4
✅ Design tests (behavioral contracts)	4 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	4 (100%)
Duplicate test clusters	0
Test inflation detected	YES (117 additions vs. 7 in production, ratio 16.7:1)
🚨 Coding-guideline violations	0

Test	File	Classification	Issues Detected
"rewrites local proxy 403 errors in copilot-requests mode to org-billing guidance"	copilot_harness.test.cjs:1022	✅ Design	—
"treats truthy S2STOKENS values as copilot-requests mode for 403 guidance"	copilot_harness.test.cjs:1040	✅ Design	—
"resolves the 403 guidance template from the runtime prompts directory"	copilot_harness.test.cjs:1053	✅ Design	—
"resolves the 403 guidance template from RUNNER_TEMP when GH_AW_PROMPTS_DIR is unset"	copilot_harness.test.cjs:1084	✅ Design	—

Go: 0; JavaScript: 4 (*.test.cjs). No other languages detected.

Note on inflation: The 16.7:1 line-addition ratio is partly explained by the production file being simplified (−25 lines removed, +7 added) while the test file added three reusable environment-isolation helpers (withTestPromptsDir, withRunnerTemp, withTemporaryPromptTemplate) alongside two new behavioral tests. The helpers account for ~50 of the 117 added lines, making the effective test-to-production content ratio much lower.

Verdict

✅ Check passed. 0% implementation tests (threshold: 30%). All four tests verify observable behavior — the content of diagnostic output strings, template path resolution from GH_AW_PROMPTS_DIR, and fallback resolution from RUNNER_TEMP/gh-aw/prompts/. No mocks of internal business logic; no Go files; no build-tag or assertion-message violations.

🧪 Test quality analysis by Test Quality Sentinel · 60.4 AIC · ⊞ 8.3K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 4 tests verify observable behavioral contracts: diagnostic output content, template path resolution from GH_AW_PROMPTS_DIR, and fallback resolution from RUNNER_TEMP.

[github-actions]

Skills-Based Review 🧠

Applied /diagnose and /tdd — approving with suggestions. The fix correctly removes the compile-time __dirname path and routes through getPromptPath(). The test additions directly validate both runtime lookup branches.

📋 Key Themes & Highlights

Key Themes

• Correctness gap: getPromptPath() now throws when neither GH_AW_PROMPTS_DIR nor RUNNER_TEMP is set — the old constant never threw. Worth adding a try/catch fallback for defensive robustness.
• Test fragility: promptsSourceDir = path.resolve("../md") is CWD-relative; path.resolve(__dirname, "../md") is safer.
• Reusability: withTemporaryPromptTemplate hardcodes the template filename; a small generalisation would let future tests reuse it.
• Mock over-specification: the vi.fn mock reimplements the template engine unnecessarily — a simple sentinel return would keep the test focused on path-resolution.

Positive Highlights

• ✅ Root cause correctly identified and addressed — compile-time path → runtime getPromptPath() lookup.
• ✅ options.renderTemplateFromFile injection is clean DI — no test-framework magic required.
• ✅ Two new tests cover both runtime lookup branches (GH_AW_PROMPTS_DIR and RUNNER_TEMP/gh-aw/prompts) with isolated temp dirs and proper cleanup.
• ✅ withTestPromptsDir / withRunnerTemp helpers are clean bracket-style env fixtures with reliable restore-on-throw behaviour.
• ✅ Net production delta is tiny (6 additions, 5 deletions), regression test surface is proportionally large (+121/-18).

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 85.4 AIC · ⌖ 9.29 AIC · ⊞ 6.9K

[github-actions]

[/diagnose] getPromptPath() throws if neither GH_AW_PROMPTS_DIR nor RUNNER_TEMP is set — the old hardcoded __dirname constant never threw. In normal GitHub Actions runs RUNNER_TEMP is always present, but if either variable is missing for any reason the harness will crash here instead of returning a graceful empty diagnostic.

💡 Suggested guard

let templatePath;
try {
  templatePath = getPromptPath(COPILOT_REQUESTS_PROXY_AUTH_403_TEMPLATE_NAME);
} catch {
  // RUNNER_TEMP not set — skip the 403 template diagnostic
  return "";
}
return render(templatePath, { selected_model: selectedModel, stage });

Alternatively, define a safeGetPromptPath helper that returns null on failure so the guard is reusable across branches.

[github-actions]

[/tdd] path.resolve("../md") is CWD-relative — it resolves correctly when vitest runs from actions/setup/js/ (the package.json root), but breaks if tests are ever invoked from a different working directory. Anchoring to __dirname is more robust.

💡 Suggested fix

const promptsSourceDir = path.resolve(__dirname, "../md");

__dirname is always the directory of this .cjs file (actions/setup/js/), so the path resolves correctly regardless of where vitest is invoked.

[github-actions]

[/tdd] withTemporaryPromptTemplate hardcodes copilot_requests_proxy_auth_403.md, making this utility unusable for future template tests. A templateName parameter would cost nothing and allow reuse.

💡 Suggested signature

function withTemporaryPromptTemplate(prefix, sourceTemplateDir, templateName, promptDirResolver, callback) {
  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), prefix));
  try {
    const promptsDir = promptDirResolver(tempDir);
    fs.mkdirSync(promptsDir, { recursive: true });
    fs.copyFileSync(
      path.join(sourceTemplateDir, templateName),
      path.join(promptsDir, templateName)
    );
    return callback(tempDir, promptsDir);
  } finally {
    fs.rmSync(tempDir, { recursive: true, force: true });
  }
}

Call sites would pass "copilot_requests_proxy_auth_403.md" as the third argument.

[github-actions]

[/tdd] The vi.fn mock reimplements a simplified template engine using .replace("{selected_model}", ...). Since renderTemplate does use {key} syntax this happens to be correct, but it creates an implicit contract between the mock and the real implementation. The key assertion here is toHaveBeenCalledWith (verifying path resolution) — the content checks are already covered by the non-mock 403 tests above.

💡 Simpler alternative

Return a predictable sentinel string so the mock remains honest about its scope:

const renderTemplateFromFile = vi.fn(() => "mock-render-result");
// ...
expect(renderTemplateFromFile).toHaveBeenCalledWith(
  path.join(runtimePromptsDir, "copilot_requests_proxy_auth_403.md"),
  { selected_model: "claude-sonnet-4.5", stage: "starting the Copilot CLI request" }
);
// content correctness is already asserted in the earlier non-mock 403 tests

[pelikhan]

@copilot
run pr-finisher skill