Fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

Author: RomanNikitenko

code/extensions/che-api/src/api/github-service.ts

@@ -34,4 +34,7 @@ export interface GithubService {
 
     getUser(): Promise<GithubUser>;
     getTokenScopes(token: string): Promise<string[]>;
+
+    /** True when the active token comes from the device-authentication secret (OAuth), not a workspace PAT. */
+    isDeviceAuthToken(): Promise<boolean>;
 }

code/extensions/che-api/src/impl/github-service-impl.ts

@@ -67,6 +67,10 @@ export class GithubServiceImpl implements GithubService {
     return result.scopes;
   }
 
+  async isDeviceAuthToken(): Promise<boolean> {
+    return (await this.getDeviceAuthToken()) !== undefined;
+  }
+
   private async fetchGithubUser(token: string): Promise<{ user: GithubUser; scopes: string[] }> {
     try {
       this.logger.info('Github Service: fetching GitHub user using fetch...');

code/extensions/che-github-authentication/src/github.ts

@@ -17,7 +17,7 @@ import type { DeviceAuthentication } from './device-authentication';
 import { ErrorHandler } from './error-handler';
 import { ExtensionContext } from './extension-context';
 import { Logger } from './logger';
-import { arrayEquals, getMatchingHydrationScopeBundles, hasAllScopes, isUnauthorizedError } from './utils';
+import { getMatchingHydrationScopeBundles, hasAllScopes, isUnauthorizedError, isWorkspacePatSession, sessionMatchesRequestedScopes, WORKSPACE_PAT_SCOPE } from './utils';
 
 export interface GithubUser {
   login: string;
@@ -32,6 +32,7 @@ export interface GithubService {
   removeDeviceAuthToken(): Promise<void>;
   getUser(): Promise<GithubUser>;
   getTokenScopes(token: string): Promise<string[]>;
+  isDeviceAuthToken(): Promise<boolean>;
 }
 
 @injectable()
@@ -64,8 +65,15 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
     if (sessions.length > 0) {
       try {
         await this.githubService.getTokenScopes(sessions[0].accessToken);
-        this.logger.trace('GitHubAuthProvider: existing session token is valid');
-        return;
+        const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
+        const sessionsNeedRetag = isDeviceAuthToken
+          ? sessions.some(session => isWorkspacePatSession(session.scopes))
+          : sessions.some(session => !isWorkspacePatSession(session.scopes));
+        if (!sessionsNeedRetag) {
+          this.logger.trace('GitHubAuthProvider: existing session token is valid');
+          return;
+        }
+        this.logger.info('GitHubAuthProvider: re-hydrating sessions to match current token source');
       } catch (error) {
         if (isUnauthorizedError(error)) {
           this.logger.warn('GitHubAuthProvider: existing session token is not valid, clearing sessions');
@@ -95,17 +103,19 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
         return;
       }
 
+      const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
       const account = { label: githubUser.login, id: githubUser.id.toString() };
       const hydratedSessions = matchingBundles.map(scopes => ({
         id: v4(),
         accessToken: token,
         account,
-        scopes,
+        scopes: isDeviceAuthToken ? scopes : [...scopes, WORKSPACE_PAT_SCOPE],
       }));
 
       await this.storeSessions(hydratedSessions);
       this.sessionChangeEmitter.fire({ added: hydratedSessions, removed: [], changed: [] });
-      this.logger.info(`GitHubAuthProvider: hydrated ${hydratedSessions.length} session(s) from K8s token`);
+      const tokenSource = isDeviceAuthToken ? 'device authentication' : 'workspace PAT';
+      this.logger.info(`GitHubAuthProvider: hydrated ${hydratedSessions.length} session(s) from K8s ${tokenSource}`);
     } catch (error) {
       if (isUnauthorizedError(error)) {
         this.logger.warn('GitHubAuthProvider: hydrate failed, token is not valid');
@@ -121,7 +131,7 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
     const sessions = await this.sessionsPromise;
     const sortedScopes = sessionScopes ? [...sessionScopes].sort() : [];
     const filteredSessions = sortedScopes.length
-      ? sessions.filter(session => arrayEquals([...session.scopes].sort(), sortedScopes))
+      ? sessions.filter(session => sessionMatchesRequestedScopes(session.scopes, sortedScopes))
       : [...sessions];
 
     this.logger.trace(`GitHubAuthProvider: GET sessions - found ${filteredSessions.length} sessions for scopes: ${sessionScopes}`);
@@ -160,14 +170,15 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
     }
 
     const sessions = await this.sessionsPromise;
+    const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
     const session: vscode.AuthenticationSession = {
       id: v4(),
       accessToken: token,
       account: { label: githubUser.login, id: githubUser.id.toString() },
-      scopes,
+      scopes: isDeviceAuthToken ? scopes : [...scopes, WORKSPACE_PAT_SCOPE],
     };
 
-    const sessionIndex = sessions.findIndex(s => arrayEquals([...s.scopes].sort(), sortedScopes));
+    const sessionIndex = sessions.findIndex(s => sessionMatchesRequestedScopes(s.scopes, sortedScopes));
     const removed: vscode.AuthenticationSession[] = [];
     const updatedSessions = [...sessions];
     if (sessionIndex > -1) {

code/extensions/che-github-authentication/src/utils.ts

@@ -38,6 +38,24 @@ export function hasAllScopes(existingScopes: string[], requestedScopes: string[]
   return requestedScopes.every(scope => existingScopes.includes(scope));
 }
 
+/**
+ * Marker scope on sessions backed by a workspace PAT. Copilot requests exact scope lists and
+ * will not match these sessions; other extensions use superset matching in getSessions.
+ */
+export const WORKSPACE_PAT_SCOPE = 'che:workspace-pat';
+
+export function isWorkspacePatSession(scopes: readonly string[]): boolean {
+  return scopes.includes(WORKSPACE_PAT_SCOPE);
+}
+
+export function sessionMatchesRequestedScopes(sessionScopes: readonly string[], requestedScopes: readonly string[]): boolean {
+  if (isWorkspacePatSession(sessionScopes)) {
+    const tokenScopes = sessionScopes.filter(scope => scope !== WORKSPACE_PAT_SCOPE);
+    return hasAllScopes(tokenScopes, [...requestedScopes]);
+  }
+  return arrayEquals([...sessionScopes].sort(), [...requestedScopes].sort());
+}
+
 /** Scope bundles used by Copilot / github / GHPRI / Agent Host — session keys match vanilla createSession. */
 export const HYDRATION_SCOPE_BUNDLES: readonly string[][] = [
   ['read:user', 'user:email', 'repo', 'workflow', 'project', 'read:org'],

code/extensions/copilot/src/platform/authentication/vscode-node/copilotTokenManager.ts

@@ -21,6 +21,11 @@ import { getAnyAuthSession } from './session';
 //Flag if we've shown message about broken oauth token.
 let shown401Message = false;
 
+/** Workspace PATs cannot be exchanged for a Copilot token; device OAuth is required. */
+function isWorkspacePersonalAccessToken(token: string): boolean {
+	return token.startsWith('ghp_') || token.startsWith('github_pat_');
+}
+
 export class NotSignedUpError extends Error { }
 export class SubscriptionExpiredError extends Error { }
 export class ContactSupportError extends Error { }
@@ -78,12 +83,20 @@ export class VSCodeCopilotTokenManager extends BaseCopilotTokenManager {
 			return { kind: 'failure', reason: 'GitHubLoginFailed' };
 		}
 		if (session) {
+			if (isWorkspacePersonalAccessToken(session.accessToken)) {
+				this._logService.info('Copilot token exchange skipped (workspace PAT cannot be used for Copilot; device authentication is required)');
+				this._telemetryService.sendGHTelemetryErrorEvent('auth.github_login_failed');
+				return { kind: 'failure', reason: 'GitHubLoginFailed' };
+			}
 			// Log the steps by default, but only log actual token values when the log level is set to debug.
 			this._logService.info(`Logged in as ${session.account.label}`);
 			const tokenResult = await this.authFromGitHubToken(session.accessToken, session.account.label);
 			if (tokenResult.kind === 'success') {
 				this._logService.info(`Got Copilot token for ${session.account.label}`);
 				this._logService.info(`Copilot Chat: ${this._envService.getVersion()}, VS Code: ${this._envService.vscodeVersion}`);
+			} else if (tokenResult.kind === 'failure' && (tokenResult.reason === 'ParseFailed' || tokenResult.reason === 'RequestFailed')) {
+				this._logService.info('Copilot token exchange failed (workspace token cannot be exchanged for Copilot token), triggering sign-in flow');
+				return { kind: 'failure', reason: 'GitHubLoginFailed' };
 			}
 			return tokenResult;
 		} else {

code/src/vs/workbench/contrib/chat/browser/chatSetup/chatSetupContributions.ts

@@ -136,10 +136,29 @@ export class ChatSetupContribution extends Disposable implements IWorkbenchContr
 									panelAgentDisposables.dispose();
 								}
 							}));
+					}
+
+					// Proactively clear panel agents when Copilot reports GitHub login failure
+					// (e.g. workspace PAT cannot be exchanged for a Copilot token)
+					const gitHubLoginFailedKey = 'github.copilot.interactiveSession.gitHubLoginFailed';
+					const checkGitHubLoginFailed = () => {
+						if (this.contextKeyService.getContextKeyValue<boolean>(gitHubLoginFailedKey)) {
+							const panelAgentHasGuidance = chatViewsWelcomeRegistry.get().some(descriptor => this.contextKeyService.contextMatchesRules(descriptor.when));
+							if (panelAgentHasGuidance) {
+								this.logService.error('[chat setup] GitHub login failed detected, clearing panel agent registration to show welcome view.');
+								panelAgentDisposables.dispose();
+							}
 						}
+					};
+					panelAgentDisposables.add(this.contextKeyService.onDidChangeContext(e => {
+						if (e.affectsSome(new Set([gitHubLoginFailedKey]))) {
+							checkGitHubLoginFailed();
+						}
+					}));
+					checkGitHubLoginFailed();
 
-						// Inline Agents
-						disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.Terminal, ChatModeKind.Ask, context, controller).disposable);
+					// Inline Agents
+					disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.Terminal, ChatModeKind.Ask, context, controller).disposable);
 						disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.Notebook, ChatModeKind.Ask, context, controller).disposable);
 						disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.EditorInline, ChatModeKind.Ask, context, controller).disposable);
 					}

rebase.sh

@@ -440,6 +440,8 @@ resolve_conflicts() {
       apply_changes_multi_line "$conflictingFile"
     elif [[ "$conflictingFile" == "code/src/vs/workbench/browser/parts/titlebar/commandCenterControl.ts" ]]; then
       apply_changes_multi_line "$conflictingFile"
+    elif [[ "$conflictingFile" == "code/src/vs/workbench/contrib/chat/browser/chatSetup/chatSetupContributions.ts" ]]; then
+      apply_changes_multi_line "$conflictingFile"
     elif [[ "$conflictingFile" == "code/src/vs/workbench/contrib/chat/browser/agentSessions/experiments/agentTitleBarStatusWidget.ts" ]]; then
       apply_changes_multi_line "$conflictingFile"
     elif [[ "$conflictingFile" == "code/src/vs/workbench/contrib/chat/browser/agentSessions/experiments/media/agenttitlebarstatuswidget.css" ]]; then
@@ -486,6 +488,8 @@ resolve_conflicts() {
       apply_code_vs_base_browser_dompurify_d_changes
     elif [[ "$conflictingFile" == "code/src/vs/base/browser/dompurify/dompurify.js" ]]; then
       apply_code_vs_base_browser_dompurify_changes
+    elif [[ "$conflictingFile" == "code/extensions/copilot/src/platform/authentication/vscode-node/copilotTokenManager.ts" ]]; then
+      apply_changes_multi_line "$conflictingFile"
     elif [[ "$conflictingFile" == "code/extensions/markdown-language-features/package.json" ]]; then
       apply_package_changes_by_path "$conflictingFile"
     elif [[ "$conflictingFile" == "code/extensions/mermaid-chat-features/package.json" ]]; then