CLI proxy: GH_HOST=localhost:18443 in $GITHUB_ENV breaks `gh --repo` in user-defined steps

[lpcox]

Summary

The DIFC proxy setup script (start_difc_proxy.sh in gh-aw) writes GH_HOST=localhost:18443 to $GITHUB_ENV. This persists to user-defined steps: blocks that run on the runner (outside AWF's container). Any gh command using an explicit --repo flag then treats the proxy as a GHES instance, attempts an enterprise version check, and fails with:

malformed version: 

Upstream issue: github/gh-aw#35264

Why AWF is involved

AWF already solves this problem inside the agent container — src/services/agent-environment/github-actions-environment.ts (lines 18-23) strips the proxy-rewritten GH_HOST or replaces it with the real hostname derived from GITHUB_SERVER_URL. But user-defined steps: run directly on the runner, outside the container, so they still see the poisoned GH_HOST from $GITHUB_ENV.

The CLI proxy service (src/services/cli-proxy-service.ts) currently requires GH_HOST=localhost:${difcProxyPort} for TLS certificate SAN matching — gh needs to connect to the proxy with a hostname that matches its self-signed cert.

Proposed solution

Stop relying on GH_HOST to route gh CLI traffic through the proxy. Instead:

1. Use gh's --hostname or GH_HOST only inside the cli-proxy container (where it's scoped), not at the runner job level via $GITHUB_ENV.

2. Route via GITHUB_API_URL / GITHUB_GRAPHQL_URL — start_difc_proxy.sh already sets these to point at the proxy. The gh CLI uses these for API calls. The version-check issue only triggers when GH_HOST is set to a non-github.com value AND --repo is used (because gh resolves the host for the repo and does a GHES version probe).

3. If GH_HOST must be written to $GITHUB_ENV (for non---repo cases on GHES), write the real hostname (e.g., github.com or the GHES FQDN), not localhost:18443. The proxy routing should be handled entirely via GITHUB_API_URL/GITHUB_GRAPHQL_URL environment variables.

4. Alternatively, implement a /api/v3/meta endpoint on the DIFC proxy that returns a valid version response, so gh's GHES version check doesn't fail. This is more of a workaround than a proper fix.

Affected files

• src/services/cli-proxy-service.ts — CLI proxy configuration (uses GH_HOST for cert SAN matching)
• src/services/agent-environment/github-actions-environment.ts — Already strips proxy GH_HOST inside container
• containers/cli-proxy/server.js — CLI proxy server implementation

Scope note

The primary fix for start_difc_proxy.sh writing to $GITHUB_ENV belongs in gh-aw (the setup action script). However, if the CLI proxy's TLS cert SAN strategy is changed (option 2/3 above), that change lives here in gh-aw-firewall.

[github-actions]

👋 Hello! I noticed this issue is related to some previously closed issues:

• GH_HOST passthrough from proxy environment breaks gh pr checkout inside container #1492 — GH_HOST passthrough from proxy environment breaks gh pr checkout inside container — Same root cause (proxy-rewritten GH_HOST poisoning gh CLI behavior), resolved by normalizing GH_HOST inside the agent container from GITHUB_SERVER_URL.
• [awf] cli/docker-manager: gh pr checkout fails when GH_HOST inherits proxy value in agent environment #1496 — [awf] cli/docker-manager: gh pr checkout fails when GH_HOST inherits proxy value in agent environment — Same root cause; proposed and implemented the GH_HOST override from GITHUB_SERVER_URL inside the container.

Your issue is distinct in scope — those issues addressed the problem inside the AWF agent container, while this one targets user-defined steps: on the runner that still see the poisoned GH_HOST written to $GITHUB_ENV by the DIFC proxy setup script. The fix noted in those issues doesn't help here since user steps run outside the container.

If the prior issues provide useful context for the proposed solution (routing via GITHUB_API_URL/GITHUB_GRAPHQL_URL instead of GH_HOST), they may be worth referencing.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #3937 · sonnet46 740.2K · ◷