Refactor OIDC provider tests to share base mock server helper

[Copilot]

✨ Enhancement

The OIDC provider tests duplicated near-identical mock server setup across AWS, GCP, and Azure paths, including the same GitHub /token handler. This change consolidates that shared logic into one helper to reduce drift in a security-sensitive auth test path.

• What does this improve?

  • Removes repeated createMockServer/createMockOidcServer boilerplate across:
    • containers/api-proxy/aws-oidc-token-provider.test.js
    • containers/api-proxy/gcp-oidc-token-provider.test.js
    • containers/api-proxy/oidc-token-provider.test.js
  • Makes future updates to common GitHub OIDC mock behavior one-change, not three.

• Why is this valuable?

  • Lowers maintenance risk for OIDC auth tests by centralizing shared behavior.
  • Keeps provider-specific route behavior explicit and local to each test file.

• Implementation approach:

  • Added containers/api-proxy/test-helpers/mock-oidc-server.js with:
    • createBaseMockServer(handleProviderRoute, handlers)
  • Shared helper now owns:
    • request body collection
    • URL parsing
    • common GitHub /token GET mock response
    • default 404 handling
  • Each provider test now passes only provider-specific route handling callback logic.

// containers/api-proxy/test-helpers/mock-oidc-server.js
function createBaseMockServer(handleProviderRoute, handlers = {}) {
  return http.createServer((req, res) => {
    // shared /token OIDC mock...
    if (url.pathname === '/token' && req.method === 'GET') { /* ... */ return; }

    // provider-specific extension point
    if (handleProviderRoute(url, req, res, handlers, body)) return;

    res.writeHead(404);
    res.end('Not found');
  });
}

[Copilot]

Pull request overview

This PR refactors OIDC provider tests by centralizing shared mock OIDC server behavior into a helper, reducing duplicated GitHub /token mock setup across Azure, AWS, and GCP test paths.

Changes:

• Adds a shared createBaseMockServer helper for common request body collection, GitHub OIDC /token handling, and default 404 behavior.
• Updates AWS, GCP, and Azure OIDC provider tests to provide only provider-specific mock routes.

Show a summary per file

File	Description
containers/api-proxy/test-helpers/mock-oidc-server.js	Adds the shared mock OIDC server helper.
containers/api-proxy/oidc-token-provider.test.js	Uses the helper for Azure token exchange mock routing.
containers/api-proxy/gcp-oidc-token-provider.test.js	Uses the helper for GCP STS and impersonation mock routing.
containers/api-proxy/aws-oidc-token-provider.test.js	Uses the helper for AWS STS mock routing.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 0

[github-actions]

Gemini Engine Smoke Test: FAIL. PR retrieval: ❌. Connectivity: ❌. File/Bash: ✅.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Pre-step data unavailable (template vars not expanded)
File write/read	⚠️ Pre-step data unavailable (template vars not expanded)

Overall: FAIL — GitHub MCP returned 401 and pre-computed step outputs were not substituted into the prompt.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ (401 — GitHub MCP not authenticated in this environment)
GitHub.com HTTP	⚠️ Template vars not expanded (${{ steps.smoke-data.outputs.* }})
File write/read	⚠️ Template vars not expanded
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: FAIL — pre-step template variables were not substituted; smoke-data outputs are literal strings. The BYOK inference path itself is ✅ working.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

• ❌ GitHub API: gh CLI authentication failed (HTTP 401)
• ✅ Playwright: github.com loads successfully, title contains "GitHub"
• ✅ File verify: smoke-test-claude-25863032768.txt readable

Result: 2/3 PASSED (1 failed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test

✅ PRs reviewed: fix: skip node --version check under QEMU emulation in agent Dockerfile; fix: remove unused public exports and normalize test-only access
❌ Safe Inputs GH CLI
✅ Playwright title
❌ Tavily search
✅ File write/read
❌ Discussion interaction
✅ Build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3138 · ● 4.2M · ◷

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: Not all tests passed. Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results

• Redis PING: ❌ (connection timeout)
• PostgreSQL pg_isready: ❌ (no response)
• PostgreSQL SELECT 1: ❌ (connection timeout)

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 are unreachable. Service containers may not be running or are blocked by the network firewall.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services