Skip to content

feat(vscode): forward Copilot/gh tokens to Remote-SSH and dev containers#546

Open
DevSecNinja wants to merge 2 commits into
mainfrom
feat/copilot-cli-vscode
Open

feat(vscode): forward Copilot/gh tokens to Remote-SSH and dev containers#546
DevSecNinja wants to merge 2 commits into
mainfrom
feat/copilot-cli-vscode

Conversation

@DevSecNinja

Copy link
Copy Markdown
Owner

Description

Follow-up to #540: make the 1Password → SSH token forwarding work in VS Code too, so copilot and gh are authenticated in the integrated terminal over Remote-SSH and inside dev containers — with no per-repo changes.

VS Code Remote-SSH connects with its own ssh invocation, so it never goes through the interactive copilot_ssh helper. Two centrally-managed pieces close that gap.

Changes

  • home/dot_local/bin/copilot-ssh-proxy.sh — an ssh drop-in for VS Code's remote.SSH.path. For hosts matching COPILOT_SSH_HOST_PATTERN (default svl) it reads the tokens from the 1Password Environment and adds -o SendEnv=…; every other host gets a plain ssh (no spurious 1Password unlock). This gets the tokens into the VS Code Server env → integrated terminals are authenticated.
  • .devcontainer/devcontainer-prebuild.json — bake remoteEnv for COPILOT_GITHUB_TOKEN / GH_TOKEN into the shared dotfiles-devcontainer image metadata, so every repo using the image inherits it (merged per the Dev Container spec) and the tokens reach inside containers with no per-repo devcontainer.json edits. Resolves to empty (harmless) where absent (local/Codespaces).
  • docs/copilot-cli.md — document the VS Code setup and the extension-vs-CLI distinction.
  • tests/bash/copilot-ssh-proxy.bats — matching/non-matching hosts, op-not-called scoping, optional GH_TOKEN, custom pattern, and op-absent fallback.

Manual step (per workstation, not managed here)

// VS Code user settings.json
"remote.SSH.path": "/Users/<you>/.local/bin/copilot-ssh-proxy.sh"

Checklist

  • Linting passes locally (mise exec -- lefthook run pre-commit)
  • Commit messages follow Conventional Commits
  • Documentation updated (docs/copilot-cli.md)

Not urgent — opening for review once you're happy with the stability of copilot_ssh (which you've been exercising day to day).

DevSecNinja and others added 2 commits July 2, 2026 15:26
Make the 1Password token forwarding work in VS Code without per-repo changes:

- copilot-ssh-proxy.sh: an `ssh` drop-in for VS Code's `remote.SSH.path`. For
  hosts matching COPILOT_SSH_HOST_PATTERN (default "svl") it reads the tokens
  from the 1Password Environment and adds `-o SendEnv=...`; all other hosts get
  a plain ssh (no 1Password unlock). This gets the tokens into the VS Code
  Server env so integrated terminals are authenticated.
- devcontainer-prebuild.json: bake `remoteEnv` for COPILOT_GITHUB_TOKEN and
  GH_TOKEN into the shared dotfiles-devcontainer image metadata, so every repo
  using the image inherits it (merged per Dev Container spec) and the tokens
  reach inside dev containers with no per-repo devcontainer.json edits.
- docs/copilot-cli.md: document the VS Code setup and the extension vs CLI
  distinction.
- tests: add tests/bash/copilot-ssh-proxy.bats (matching/non-matching hosts,
  op-not-called scoping, GH_TOKEN-optional, custom pattern, op-absent fallback).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant