Refactor Azure OIDC provider to inherit shared token lifecycle from BaseOidcTokenProvider

[Copilot]

OidcTokenProvider (Azure) had drift-prone duplicated lifecycle logic (initialize, readiness checks, shutdown, refresh scheduling, retry/sleep/state) already centralized in BaseOidcTokenProvider. This change aligns Azure with AWS/GCP by moving Azure onto the same base lifecycle path and keeping only Azure-specific token exchange behavior.

• Lifecycle consolidation

  • OidcTokenProvider now extends BaseOidcTokenProvider (super('oidc', config)).
  • Removed duplicated lifecycle methods/state from Azure provider:
    • initialize(), isReady(), shutdown(), _scheduleRefresh(), _sleep()
    • duplicate retry/init/timer fields now owned by base.

• Azure-specific logic preserved via base hooks

  • Implemented base extension points in Azure provider:
    • _doRefresh() → delegates to existing _refreshToken()
    • _getCachedValue() → returns _cachedToken
    • _getInitSuccessLogContext() / _getInitFailureLogContext() for Azure log fields.
  • Existing GitHub OIDC mint + Azure token exchange flow remains unchanged.

• Behavioral guard for shutdown semantics

  • Added a focused regression test to assert no emergency refresh is triggered after shutdown().

class OidcTokenProvider extends BaseOidcTokenProvider {
  constructor(config) {
    super('oidc', config);
    this._cachedToken = null;
  }

  async _doRefresh() { await this._refreshToken(); }
  _getCachedValue() { return this._cachedToken; }
}

[Copilot]

Pull request overview

This PR refactors the Azure OIDC token provider to reuse the shared BaseOidcTokenProvider lifecycle used by other OIDC providers, reducing duplicated initialization, shutdown, readiness, retry, and refresh scheduling logic.

Changes:

• Makes Azure OidcTokenProvider extend BaseOidcTokenProvider.
• Keeps Azure-specific token exchange and cached-token behavior behind base lifecycle hooks.
• Adds a regression test covering shutdown behavior before emergency refresh.

Show a summary per file

File	Description
containers/api-proxy/oidc-token-provider.js	Refactors Azure OIDC provider to inherit shared lifecycle behavior and implement Azure-specific hooks.
containers/api-proxy/oidc-token-provider.test.js	Adds coverage ensuring getToken() after shutdown does not trigger a refresh.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

🔬 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ GitHub MCP returned 401 (token scope issue in this run)
GitHub.com HTTP connectivity	⚠️ Pre-step data not injected (template vars unexpanded)
File write/read	⚠️ Pre-step data not injected (template vars unexpanded)
BYOK inference (this response)	✅ Agent responded via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — workflow template variables (${{ steps.smoke-data.outputs.* }}) were not expanded before agent invocation; pre-computed test data was unavailable.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	❌ Template vars not expanded (${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }})
File write/read	❌ Template vars not expanded

Overall: FAIL — Pre-step outputs were not substituted into the workflow prompt. The smoke-data step likely did not run or its outputs were not passed to this job.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Results

❌ Test 1 - GitHub API: FAIL (HTTP 401: authentication unavailable in sandbox)
✅ Test 2 - Playwright: PASS (GitHub title confirmed)
✅ Test 3 - File Verify: PASS (smoke-test file exists and valid)

Overall: PARTIAL (2/3 passed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test

PRs: fix: use gh CLI for reliable API access in issue duplication detector; Codex: remove openai-proxy env_key requirement in postprocessed lock workflows
GitHub MCP: ❌
SafeInputs GH: ❌
Playwright: ✅
Tavily: ❌
File/Bash: ✅
Discussion: ❌
Build: ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3243 · ● 5.5M · ◷

[github-actions]

Smoke Test: Gemini Engine Validation

• PR 1: ❌ (Tools for reading PRs not found)
• PR 2: ❌ (Tools for reading PRs not found)
• Connectivity (github.com): ❌ (SSL Error 35)
• File Writing: ✅
• Bash Tool: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

Overall: FAIL — host.docker.internal is not reachable from this environment. Service containers (Redis on 6379, PostgreSQL on 5432) are not accessible.

🔌 Service connectivity validated by Smoke Services