Context: GitHub Enterprise Server instance with Copilot Business licensing. Our gh-aw workflows set --copilot-api-target api.business.githubcopilot.com (Business endpoint, not api.enterprise.githubcopilot.com).
History: The original report (#38575) was closed when #5415 merged (AWF v0.27.9), which added copilotTargetRequiresGitHubTokenPrefix() returning true for api.business.githubcopilot.com on *.ghe.com — supposedly our exact scenario. Two earlier partial fixes (#4755 in v0.27.2, #5076 in v0.27.4) only covered api.enterprise.githubcopilot.com and missed this.
Re-tested twice, both fail identically:
- 2026-06-29 → 2026-07-02, native AWF v0.27.13/v0.27.16, every sampled failure showing "400: Authorization header is badly formatted."
- 2026-07-14, fresh
workflow_dispatch test on AWF v0.27.31 (current latest): same signature. Copilot CLI harness exhausts all 4 retries, each returning 400 400 400 Bad Request. Firewall audit confirms the request reaches api.business.githubcopilot.com cleanly (11 allowed / 0 denied — not a domain-block, an application-layer rejection from the real endpoint).
Ask: Please confirm whether copilotTargetRequiresGitHubTokenPrefix()'s current logic actually matches our configuration (GHES + Business licensing + explicit --copilot-api-target), since the symptom is unchanged from before the fix through the current latest release. We currently work around this by pinning AWF to v0.25.55 indefinitely.
Evidence available on request: run IDs, timestamps, redacted logs.
Context: GitHub Enterprise Server instance with Copilot Business licensing. Our gh-aw workflows set
--copilot-api-target api.business.githubcopilot.com(Business endpoint, notapi.enterprise.githubcopilot.com).History: The original report (#38575) was closed when #5415 merged (AWF v0.27.9), which added
copilotTargetRequiresGitHubTokenPrefix()returningtrueforapi.business.githubcopilot.comon*.ghe.com— supposedly our exact scenario. Two earlier partial fixes (#4755 in v0.27.2, #5076 in v0.27.4) only coveredapi.enterprise.githubcopilot.comand missed this.Re-tested twice, both fail identically:
workflow_dispatchtest on AWF v0.27.31 (current latest): same signature. Copilot CLI harness exhausts all 4 retries, each returning400 400 400 Bad Request. Firewall audit confirms the request reachesapi.business.githubcopilot.comcleanly (11 allowed / 0 denied — not a domain-block, an application-layer rejection from the real endpoint).Ask: Please confirm whether
copilotTargetRequiresGitHubTokenPrefix()'s current logic actually matches our configuration (GHES + Business licensing + explicit--copilot-api-target), since the symptom is unchanged from before the fix through the current latest release. We currently work around this by pinning AWF to v0.25.55 indefinitely.Evidence available on request: run IDs, timestamps, redacted logs.