Summary
The mcpg DIFC proxy is not GitHub Enterprise Cloud data-residency (*.ghe.com) aware. On a *.ghe.com tenant, the proxy forwards gh api calls to the wrong GitHub API host, so requests routed through it fail even though the proxy itself comes up healthy and reports CLI proxy ready on port 18443.
This is the root cause of github/gh-aw#41225, where the AWF firewall's awf-cli-proxy sidecar liveness probe (gh api rate_limit through the DIFC proxy) fails with diagnosis=unknown — meaning the proxy is reachable but the forwarded API call returns an unexpected (HTTP error) result.
Environment
- gh-aw
v0.80.9/v0.81.2; firewall v0.27.7/0.27.9; mcpg v0.3.27/v0.3.29
- Standard GitHub-hosted
ubuntu-24 runner
- GitHub Enterprise Cloud, data residency (
*.ghe.com)
engine: copilot (org-billed inference)
Root cause (suspected)
The DIFC proxy is launched by actions/setup/sh/start_difc_proxy.sh with a curated environment. Workflow-level GH_HOST / GITHUB_HOST / GITHUB_ENTERPRISE_HOST never reach it (confirmed by the reporter), and the proxy does not appear to derive the enterprise API host from GITHUB_SERVER_URL. As a result the forwarded gh api rate_limit resolves/targets api.github.com instead of the tenant's *.ghe.com API host and fails.
Proposed fix
Make the DIFC proxy enterprise-host-aware:
- Derive the target GitHub API host from
GITHUB_SERVER_URL (e.g. https://<tenant>.ghe.com → API base https://<tenant>.ghe.com/api/v3 and the tenant Copilot endpoint), rather than assuming github.com.
- Ensure
start_difc_proxy.sh propagates the enterprise host into the curated env it builds for the proxy.
- Verify token steering targets the tenant-specific Copilot endpoint on data-residency tenants.
Acceptance
- On a
*.ghe.com tenant, gh api rate_limit forwarded through the DIFC proxy returns 2xx.
- The AWF
awf-cli-proxy liveness probe succeeds and the agent is invoked.
Companion issues
This is tracked across three repositories:
Original report: github/gh-aw#41225
Related: github/gh-aw#21407, github/gh-aw-firewall#1300
Summary
The mcpg DIFC proxy is not GitHub Enterprise Cloud data-residency (
*.ghe.com) aware. On a*.ghe.comtenant, the proxy forwardsgh apicalls to the wrong GitHub API host, so requests routed through it fail even though the proxy itself comes up healthy and reportsCLI proxy ready on port 18443.This is the root cause of github/gh-aw#41225, where the AWF firewall's
awf-cli-proxysidecar liveness probe (gh api rate_limitthrough the DIFC proxy) fails withdiagnosis=unknown— meaning the proxy is reachable but the forwarded API call returns an unexpected (HTTP error) result.Environment
v0.80.9/v0.81.2; firewallv0.27.7/0.27.9; mcpgv0.3.27/v0.3.29ubuntu-24runner*.ghe.com)engine: copilot(org-billed inference)Root cause (suspected)
The DIFC proxy is launched by
actions/setup/sh/start_difc_proxy.shwith a curated environment. Workflow-levelGH_HOST/GITHUB_HOST/GITHUB_ENTERPRISE_HOSTnever reach it (confirmed by the reporter), and the proxy does not appear to derive the enterprise API host fromGITHUB_SERVER_URL. As a result the forwardedgh api rate_limitresolves/targetsapi.github.cominstead of the tenant's*.ghe.comAPI host and fails.Proposed fix
Make the DIFC proxy enterprise-host-aware:
GITHUB_SERVER_URL(e.g.https://<tenant>.ghe.com→ API basehttps://<tenant>.ghe.com/api/v3and the tenant Copilot endpoint), rather than assuminggithub.com.start_difc_proxy.shpropagates the enterprise host into the curated env it builds for the proxy.Acceptance
*.ghe.comtenant,gh api rate_limitforwarded through the DIFC proxy returns 2xx.awf-cli-proxyliveness probe succeeds and the agent is invoked.Companion issues
This is tracked across three repositories:
awf-cli-proxyprobe diagnostics: replace opaquediagnosis=unknownwith the actual HTTP status/bodyOriginal report: github/gh-aw#41225
Related: github/gh-aw#21407, github/gh-aw-firewall#1300