feat: add GitHub Copilot CLI support#265
Conversation
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
PR #265 Review — feat: add GitHub Copilot CLI support
1. What problem does this solve?
OpenAB currently supports Kiro CLI, Claude Code, Codex, and Gemini as agent backends but lacks GitHub Copilot CLI. Since Copilot CLI has had native ACP support in public preview (Jan 28, 2026) via copilot --acp --stdio over stdio JSON-RPC — fully compatible with OpenAB's existing architecture — this PR adds it as the fifth backend option. Closes #19.
2. How does it solve it?
Three files, +59/-2, clean and focused:
Dockerfile.copilot(new) — Multi-stage build: Rust build stage +node:22-bookworm-slimruntime. Installs Copilot CLI via official install script, plusghCLI for auth management. Follows the same pattern asDockerfile.claude/Dockerfile.codex.README.md(modified) — Adds Copilot CLI to the intro, features list, agent backends table, Helm example, and manual config section.config.toml.example(modified) — Adds a commented-out Copilot config block.
3. Were alternatives considered?
The PR body mentions two auth paths:
GITHUB_TOKENenv var (headless — explicitly noted as not fully validated yet)- OAuth device flow via
gh auth login(one-time, persisted via PVC)
The author chose to ship the infrastructure first and track auth validation as a follow-up — a reasonable phased approach.
4. Is this the best approach? — Issues & Suggestions
🔴 Security — curl | bash install pattern
RUN curl -fsSL https://gh.io/copilot-install | bashPiping a remote script directly into bash with no checksum verification. If gh.io is compromised or the CDN has issues, the build could be injected. Recommend at least pinning a version or adding hash verification — consistent with how gh CLI is installed below using a GPG keyring.
🟡 Multiple [agent] blocks in README may mislead
The manual config section in README now lists five [agent] blocks (Kiro, Claude, Codex, Gemini, Copilot), but TOML only allows one section with the same name. While these are examples, newcomers might paste them all in. Suggest adding a comment clarifying only one can be active at a time, or using distinct section keys.
🟡 Risk of merging with unvalidated auth
The testing checklist in the PR body is entirely unchecked, and headless GITHUB_TOKEN auth is explicitly noted as unvalidated. If merged as-is, users following the docs will hit a wall. Recommend at least verifying the Docker build succeeds and copilot --acp --stdio can start before merging, or adding an ⚠️ Experimental label in the README.
🟢 Dockerfile quality is solid
- Cargo dependency caching (copy Cargo.toml/lock first, dummy build, then copy src) ✅
--no-install-recommends+ apt cache cleanup ✅- Non-root user (
node) ✅ - HEALTHCHECK ✅
Overall: A well-structured PR that follows existing patterns. Main risks are the curl | bash security concern and unvalidated auth. Recommend addressing those before merging.
- Add docs/copilot.md with full setup guide: architecture, config, Docker build, K8s auth (device flow), Helm install, verified capabilities table (8 models, 3 modes), and known limitations - Add commented-out Copilot block to config.toml.example Our docs include verified E2E test results (initialize, session/new, session/prompt all confirmed working with v1.0.24) — openabdev#265 has empty test checkboxes.
- Add Dockerfile.copilot with Copilot CLI + gh CLI install - Add Copilot CLI config block to config.toml.example - Update README.md with Copilot CLI in agent table, Helm example, and manual config example Closes openabdev#19
- Replace curl|bash with npm install for Copilot CLI (security) - Add note that only one [agent] block can be active at a time - Add experimental warning for Copilot auth
chaodu-agent
force-pushed
the
feat/copilot-cli-support
branch
from
990a738 to
5d3c1d0
Compare
|
Tested this locally on OrbStack k3s — built the image, deployed alongside the existing Kiro agent via Helm, and got it working end-to-end. A few things I ran into: 1. The example shows # env = {} # Auth via: kubectl exec -it <pod> -- gh auth login -p https -w2. Copilot Free does not include CLI/ACP access I initially authed with an account that had Copilot Free and got:
The Prerequisites section says "an active Copilot subscription" but should explicitly state Copilot Pro, Pro+, Business, or Enterprise — Free tier does not work. 3. Helm example missing The
Update: All items addressed in |
- Remove misleading GITHUB_TOKEN env var from config.toml.example, replace with device flow comment - Update docs/copilot.md prerequisites: Free tier does not include CLI/ACP access, require Pro/Pro+/Business/Enterprise - Add persistence.enabled=true to Helm example (token lost on restart) - Add note that GHCR image is not published yet, build locally - Clean up Configuration section to remove unvalidated GITHUB_TOKEN
|
Thanks for the thorough testing @thepagent 🙏 All 4 items addressed in
|
thepagent
left a comment
thepagent
left a comment
There was a problem hiding this comment.
Verified end-to-end on local OrbStack k3s — Copilot CLI agent runs side-by-side with Kiro, device flow auth works, and all feedback items addressed. Ship it 🚀
* feat: add GitHub Copilot CLI support - Add Dockerfile.copilot with Copilot CLI + gh CLI install - Add Copilot CLI config block to config.toml.example - Update README.md with Copilot CLI in agent table, Helm example, and manual config example Closes openabdev#19 * fix: address PR review feedback - Replace curl|bash with npm install for Copilot CLI (security) - Add note that only one [agent] block can be active at a time - Add experimental warning for Copilot auth * docs: add Copilot CLI agent backend guide * docs: add env config with unvalidated warning to copilot guide * fix: address thepagent review feedback on PR openabdev#265 - Remove misleading GITHUB_TOKEN env var from config.toml.example, replace with device flow comment - Update docs/copilot.md prerequisites: Free tier does not include CLI/ACP access, require Pro/Pro+/Business/Enterprise - Add persistence.enabled=true to Helm example (token lost on restart) - Add note that GHCR image is not published yet, build locally - Clean up Configuration section to remove unvalidated GITHUB_TOKEN --------- Co-authored-by: chaodu-agent <chaodu-agent@users.noreply.github.com>
2 participants
Summary
Add GitHub Copilot CLI as a supported agent backend with a separate Docker image.
Copilot CLI has native ACP support (public preview since Jan 28, 2026) via
copilot --acp --stdioover stdio JSON-RPC — fully compatible with OpenAB's existing architecture.Closes #19
Changes
1.
Dockerfile.copilot(new)node:22-bookworm-slimruntimenpm install -g @github/copilot@1(pinned major version, consistent with Claude/Codex/Gemini Dockerfiles)ghCLI for auth managementDockerfile.claudeandDockerfile.codex2.
config.toml.exampleAdded commented-out Copilot CLI config block:
3.
README.md[agent]block can be active at a time4.
docs/copilot.md(new)Full setup guide covering architecture, configuration, Docker build, Helm install, model selection, and known limitations.
Architecture
Authentication
Copilot CLI uses GitHub OAuth — same mechanism as Kiro CLI. Authentication is a post-deploy user action, following the same device flow pattern as all other agent backends:
kubectl exec -it deployment/openab-copilot -- gh auth login --hostname github.com -p https -w kubectl rollout restart deployment/openab-copilotThe token is persisted via PVC across pod restarts. Full details documented in docs/copilot.md and docs/gh-auth-device-flow.md.
Testing
copilot --acp --stdiowith JSON-RPC clientdocker build -f Dockerfile.copilot -t openab-copilot .agents.copilotvalues