Fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix start

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

fix

Signed-off-by: Roman Nikitenko <rnikiten@redhat.com>

Author: RomanNikitenko

.rebase/replace/code/extensions/copilot/src/platform/authentication/vscode-node/copilotTokenManager.ts.json

@@ -0,0 +1,6 @@
+[
+	{
+		"from": "\t\t\tif (tokenResult.kind === 'success') {\n\t\t\t\tthis._logService.info(`Got Copilot token for ${session.account.label}`);\n\t\t\t\tthis._logService.info(`Copilot Chat: ${this._envService.getVersion()}, VS Code: ${this._envService.vscodeVersion}`);\n\t\t\t}\n\t\t\treturn tokenResult;",
+		"by": "\t\t\tif (tokenResult.kind === 'success') {\n\t\t\t\tthis._logService.info(`Got Copilot token for ${session.account.label}`);\n\t\t\t\tthis._logService.info(`Copilot Chat: ${this._envService.getVersion()}, VS Code: ${this._envService.vscodeVersion}`);\n\t\t\t}\n\n\t\t\tif (tokenResult.kind === 'failure' && tokenResult.reason === 'NotAuthorized' && !tokenResult.notification_id) {\n\t\t\t\tthis._logService.info('Copilot token exchange failed (workspace token cannot be exchanged for Copilot token), triggering sign-in flow');\n\t\t\t\treturn { kind: 'failure', reason: 'GitHubLoginFailed' };\n\t\t\t}\n\n\t\t\treturn tokenResult;"
+	}
+]

.rebase/replace/code/src/vs/workbench/contrib/chat/browser/chatSetup/chatSetupContributions.ts.json

@@ -0,0 +1,6 @@
+[
+	{
+		"from": "\t\t\t\t\t\t}));\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Inline Agents",
+		"by": "\t\t\t\t\t\t}));\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Proactively clear panel agents when Copilot reports GitHub login failure\n\t\t\t\t\t\t// (e.g. workspace PAT cannot be exchanged for a Copilot token)\n\t\t\t\t\t\tconst gitHubLoginFailedKey = 'github.copilot.interactiveSession.gitHubLoginFailed';\n\t\t\t\t\t\tconst checkGitHubLoginFailed = () => {\n\t\t\t\t\t\t\tif (this.contextKeyService.getContextKeyValue<boolean>(gitHubLoginFailedKey)) {\n\t\t\t\t\t\t\t\tconst panelAgentHasGuidance = chatViewsWelcomeRegistry.get().some(descriptor => this.contextKeyService.contextMatchesRules(descriptor.when));\n\t\t\t\t\t\t\t\tif (panelAgentHasGuidance) {\n\t\t\t\t\t\t\t\t\tthis.logService.error('[chat setup] GitHub login failed detected, clearing panel agent registration to show welcome view.');\n\t\t\t\t\t\t\t\t\tpanelAgentDisposables.dispose();\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t};\n\t\t\t\t\t\tpanelAgentDisposables.add(this.contextKeyService.onDidChangeContext(e => {\n\t\t\t\t\t\t\tif (e.affectsSome(new Set([gitHubLoginFailedKey]))) {\n\t\t\t\t\t\t\t\tcheckGitHubLoginFailed();\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}));\n\t\t\t\t\t\tcheckGitHubLoginFailed();\n\n\t\t\t\t\t\t// Inline Agents"
+	}
+]

code/extensions/che-api/src/api/github-service.ts

@@ -34,4 +34,7 @@ export interface GithubService {
 
     getUser(): Promise<GithubUser>;
     getTokenScopes(token: string): Promise<string[]>;
+
+    /** True when the active token comes from the device-authentication secret (OAuth), not a workspace PAT. */
+    isDeviceAuthToken(): Promise<boolean>;
 }

code/extensions/che-api/src/impl/github-service-impl.ts

@@ -67,6 +67,10 @@ export class GithubServiceImpl implements GithubService {
     return result.scopes;
   }
 
+  async isDeviceAuthToken(): Promise<boolean> {
+    return (await this.getDeviceAuthToken()) !== undefined;
+  }
+
   private async fetchGithubUser(token: string): Promise<{ user: GithubUser; scopes: string[] }> {
     try {
       this.logger.info('Github Service: fetching GitHub user using fetch...');

code/extensions/che-github-authentication/src/device-authentication.ts

@@ -40,25 +40,23 @@ export class DeviceAuthentication {
     const scopeString = sortedScopes.join(' ');
     this.logger.info(`Device Authentication: running interactive flow for scopes: ${scopeString}`);
 
-    const existingSessions = await this.gitHubAuthProvider.getSessions();
-    this.logger.info(`Device Authentication: found ${existingSessions.length} existing sessions to clear`);
+    const token = await vscode.commands.executeCommand<string>('github-authentication.device-code-flow', scopeString);
+    if (!token) {
+      throw new Error('Device authentication was cancelled or failed');
+    }
+
+    this.logger.info(`Device Authentication: token for scopes: ${scopeString} has been generated successfully`);
 
+    const existingSessions = await this.gitHubAuthProvider.getSessions();
+    this.logger.info(`Device Authentication: clearing ${existingSessions.length} existing sessions`);
     for (const session of existingSessions) {
       try {
         await this.gitHubAuthProvider.removeSession(session.id);
-        this.logger.info(`Device Authentication: removed session with scopes: ${session.scopes}`);
       } catch (e) {
-        console.warn(e.message);
-        this.logger.warn(`Device Authentication: an error happened at removing a session with scopes: ${session.scopes}`);
+        this.logger.warn(`Device Authentication: failed to remove session: ${e.message}`);
       }
     }
 
-    const token = await vscode.commands.executeCommand<string>('github-authentication.device-code-flow', scopeString);
-    if (!token) {
-      throw new Error('Device authentication was cancelled or failed');
-    }
-
-    this.logger.info(`Device Authentication: token for scopes: ${scopeString} has been generated successfully`);
     await this.githubService.persistDeviceAuthToken(token);
     return token;
   }

code/extensions/che-github-authentication/src/extension.ts

@@ -47,9 +47,11 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
     const deviceAuthentication = container.get(DeviceAuthentication);
     authenticationProvider.setDeviceAuthentication(deviceAuthentication);
 
+    await authenticationProvider.hydrateFromK8sToken();
+
     vscode.authentication.registerAuthenticationProvider('github', 'GitHub', authenticationProvider);
 
-    await authenticationProvider.hydrateFromK8sToken();
+    await authenticationProvider.notifyExistingSessions();
 }
 
 export function deactivate(): void {

code/extensions/che-github-authentication/src/github.ts

@@ -17,7 +17,7 @@ import type { DeviceAuthentication } from './device-authentication';
 import { ErrorHandler } from './error-handler';
 import { ExtensionContext } from './extension-context';
 import { Logger } from './logger';
-import { arrayEquals, getMatchingHydrationScopeBundles, hasAllScopes, isUnauthorizedError } from './utils';
+import { getMatchingHydrationScopeBundles, hasAllScopes, isUnauthorizedError, isWorkspacePatSession, sessionMatchesRequestedScopes, WORKSPACE_PAT_SCOPE } from './utils';
 
 export interface GithubUser {
   login: string;
@@ -32,6 +32,7 @@ export interface GithubService {
   removeDeviceAuthToken(): Promise<void>;
   getUser(): Promise<GithubUser>;
   getTokenScopes(token: string): Promise<string[]>;
+  isDeviceAuthToken(): Promise<boolean>;
 }
 
 @injectable()
@@ -59,13 +60,28 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
     this.deviceAuthentication = deviceAuthentication;
   }
 
+  async notifyExistingSessions(): Promise<void> {
+    const sessions = await this.sessionsPromise;
+    if (sessions.length > 0) {
+      this.logger.info(`GitHubAuthProvider: notifying about ${sessions.length} existing session(s)`);
+      this.sessionChangeEmitter.fire({ added: sessions, removed: [], changed: [] });
+    }
+  }
+
   async hydrateFromK8sToken(): Promise<void> {
     let sessions = await this.sessionsPromise;
     if (sessions.length > 0) {
       try {
         await this.githubService.getTokenScopes(sessions[0].accessToken);
-        this.logger.trace('GitHubAuthProvider: existing session token is valid');
-        return;
+        const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
+        const sessionsNeedRetag = isDeviceAuthToken
+          ? sessions.some(session => isWorkspacePatSession(session.scopes))
+          : sessions.some(session => !isWorkspacePatSession(session.scopes));
+        if (!sessionsNeedRetag) {
+          this.logger.info('GitHubAuthProvider: existing session token is valid');
+          return;
+        }
+        this.logger.info('GitHubAuthProvider: re-hydrating sessions to match current token source');
       } catch (error) {
         if (isUnauthorizedError(error)) {
           this.logger.warn('GitHubAuthProvider: existing session token is not valid, clearing sessions');
@@ -74,57 +90,71 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
           this.sessionChangeEmitter.fire({ added: [], removed, changed: [] });
           sessions = [];
         } else {
-          this.logger.trace(`GitHubAuthProvider: session validation skipped: ${(error as Error).message}`);
+          this.logger.warn(`GitHubAuthProvider: session validation skipped: ${(error as Error).message}`);
           return;
         }
       }
     }
 
-    try {
-      const token = await this.githubService.getToken();
-      const tokenScopes = await this.githubService.getTokenScopes(token);
-      if (tokenScopes.length === 0) {
-        this.logger.trace('GitHubAuthProvider: hydrate skipped, token has no scopes');
-        return;
-      }
+    await this.tryHydrate(3, 500);
+  }
 
-      const githubUser = await this.githubService.getUser();
-      const matchingBundles = getMatchingHydrationScopeBundles(tokenScopes);
-      if (matchingBundles.length === 0) {
-        this.logger.trace('GitHubAuthProvider: hydrate skipped, token scopes match no known bundle');
-        return;
-      }
+  private async tryHydrate(maxAttempts: number, delayMs: number): Promise<void> {
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const token = await this.githubService.getToken();
+        const tokenScopes = await this.githubService.getTokenScopes(token);
+        if (tokenScopes.length === 0) {
+          this.logger.info('GitHubAuthProvider: hydrate skipped, token has no scopes');
+          return;
+        }
 
-      const account = { label: githubUser.login, id: githubUser.id.toString() };
-      const hydratedSessions = matchingBundles.map(scopes => ({
-        id: v4(),
-        accessToken: token,
-        account,
-        scopes,
-      }));
-
-      await this.storeSessions(hydratedSessions);
-      this.sessionChangeEmitter.fire({ added: hydratedSessions, removed: [], changed: [] });
-      this.logger.info(`GitHubAuthProvider: hydrated ${hydratedSessions.length} session(s) from K8s token`);
-    } catch (error) {
-      if (isUnauthorizedError(error)) {
-        this.logger.warn('GitHubAuthProvider: hydrate failed, token is not valid');
-      } else {
-        this.logger.trace(`GitHubAuthProvider: hydrate skipped: ${(error as Error).message}`);
+        const githubUser = await this.githubService.getUser();
+        const matchingBundles = getMatchingHydrationScopeBundles(tokenScopes);
+        if (matchingBundles.length === 0) {
+          this.logger.info('GitHubAuthProvider: hydrate skipped, token scopes match no known bundle');
+          return;
+        }
+
+        const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
+        const account = { label: githubUser.login, id: githubUser.id.toString() };
+        const hydratedSessions = matchingBundles.map(scopes => ({
+          id: v4(),
+          accessToken: token,
+          account,
+          scopes: isDeviceAuthToken ? scopes : [...scopes, WORKSPACE_PAT_SCOPE],
+        }));
+
+        await this.storeSessions(hydratedSessions);
+        this.sessionChangeEmitter.fire({ added: hydratedSessions, removed: [], changed: [] });
+        const tokenSource = isDeviceAuthToken ? 'device authentication' : 'workspace PAT';
+        this.logger.info(`GitHubAuthProvider: hydrated ${hydratedSessions.length} session(s) from K8s ${tokenSource}`);
+        return;
+      } catch (error) {
+        if (isUnauthorizedError(error)) {
+          this.logger.warn('GitHubAuthProvider: hydrate failed, token is not valid');
+          return;
+        }
+        if (attempt < maxAttempts) {
+          this.logger.info(`GitHubAuthProvider: hydrate attempt ${attempt}/${maxAttempts} failed: ${(error as Error).message}, retrying in ${delayMs}ms`);
+          await new Promise(resolve => setTimeout(resolve, delayMs));
+        } else {
+          this.logger.warn(`GitHubAuthProvider: hydrate failed after ${maxAttempts} attempts: ${(error as Error).message}`);
+        }
       }
     }
   }
 
   async getSessions(sessionScopes?: string[]): Promise<vscode.AuthenticationSession[]> {
-    this.logger.trace(`GitHubAuthProvider: GET SESSIONS for scopes: ${sessionScopes}`);
+    this.logger.info(`GitHubAuthProvider: GET SESSIONS for scopes: ${sessionScopes}`);
 
     const sessions = await this.sessionsPromise;
     const sortedScopes = sessionScopes ? [...sessionScopes].sort() : [];
     const filteredSessions = sortedScopes.length
-      ? sessions.filter(session => arrayEquals([...session.scopes].sort(), sortedScopes))
+      ? sessions.filter(session => sessionMatchesRequestedScopes(session.scopes, sortedScopes))
       : [...sessions];
 
-    this.logger.trace(`GitHubAuthProvider: GET sessions - found ${filteredSessions.length} sessions for scopes: ${sessionScopes}`);
+    this.logger.info(`GitHubAuthProvider: GET sessions - found ${filteredSessions.length} sessions for scopes: ${sessionScopes}`);
     return filteredSessions;
   }
 
@@ -160,14 +190,15 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
     }
 
     const sessions = await this.sessionsPromise;
+    const isDeviceAuthToken = await this.githubService.isDeviceAuthToken();
     const session: vscode.AuthenticationSession = {
       id: v4(),
       accessToken: token,
       account: { label: githubUser.login, id: githubUser.id.toString() },
-      scopes,
+      scopes: isDeviceAuthToken ? scopes : [...scopes, WORKSPACE_PAT_SCOPE],
     };
 
-    const sessionIndex = sessions.findIndex(s => arrayEquals([...s.scopes].sort(), sortedScopes));
+    const sessionIndex = sessions.findIndex(s => sessionMatchesRequestedScopes(s.scopes, sortedScopes));
     const removed: vscode.AuthenticationSession[] = [];
     const updatedSessions = [...sessions];
     if (sessionIndex > -1) {
@@ -188,15 +219,28 @@ export class GitHubAuthProvider implements vscode.AuthenticationProvider {
       const token = await this.githubService.getToken();
       const existingScopes = await this.githubService.getTokenScopes(token);
       if (!hasAllScopes(existingScopes, sortedScopes)) {
-        this.logger.info(`GitHubAuthProvider: token lacks required scopes, starting device flow`);
+        this.logger.info('GitHubAuthProvider: token lacks required scopes, starting device flow');
         return await this.getDeviceAuthentication().runInteractiveFlow(sortedScopes);
       }
+
+      const isDeviceAuth = await this.githubService.isDeviceAuthToken();
+      if (!isDeviceAuth) {
+        const sessions = await this.sessionsPromise;
+        const hasExistingSession = sessions.some(s =>
+          sessionMatchesRequestedScopes(s.scopes, sortedScopes)
+        );
+        if (hasExistingSession) {
+          this.logger.info('GitHubAuthProvider: PAT session already exists for requested scopes, starting device auth flow');
+          return await this.getDeviceAuthentication().runInteractiveFlow(sortedScopes);
+        }
+      }
+
       return token;
     } catch (error) {
       if (isUnauthorizedError(error)) {
-        this.logger.info(`GitHubAuthProvider: token is not valid, starting device flow`);
+        this.logger.info('GitHubAuthProvider: token is not valid, starting device flow');
       } else {
-        this.logger.info(`GitHubAuthProvider: no token available, starting device flow`);
+        this.logger.info('GitHubAuthProvider: no token available, starting device flow');
       }
       return await this.getDeviceAuthentication().runInteractiveFlow(sortedScopes);
     }

code/extensions/che-github-authentication/src/utils.ts

@@ -38,6 +38,24 @@ export function hasAllScopes(existingScopes: string[], requestedScopes: string[]
   return requestedScopes.every(scope => existingScopes.includes(scope));
 }
 
+/**
+ * Marker scope on sessions backed by a workspace PAT. Copilot requests exact scope lists and
+ * will not match these sessions; other extensions use superset matching in getSessions.
+ */
+export const WORKSPACE_PAT_SCOPE = 'che:workspace-pat';
+
+export function isWorkspacePatSession(scopes: readonly string[]): boolean {
+  return scopes.includes(WORKSPACE_PAT_SCOPE);
+}
+
+export function sessionMatchesRequestedScopes(sessionScopes: readonly string[], requestedScopes: readonly string[]): boolean {
+  if (isWorkspacePatSession(sessionScopes)) {
+    const tokenScopes = sessionScopes.filter(scope => scope !== WORKSPACE_PAT_SCOPE);
+    return hasAllScopes(tokenScopes, [...requestedScopes]);
+  }
+  return arrayEquals([...sessionScopes].sort(), [...requestedScopes].sort());
+}
+
 /** Scope bundles used by Copilot / github / GHPRI / Agent Host — session keys match vanilla createSession. */
 export const HYDRATION_SCOPE_BUNDLES: readonly string[][] = [
   ['read:user', 'user:email', 'repo', 'workflow', 'project', 'read:org'],

code/extensions/copilot/src/platform/authentication/vscode-node/copilotTokenManager.ts

@@ -85,6 +85,12 @@ export class VSCodeCopilotTokenManager extends BaseCopilotTokenManager {
 				this._logService.info(`Got Copilot token for ${session.account.label}`);
 				this._logService.info(`Copilot Chat: ${this._envService.getVersion()}, VS Code: ${this._envService.vscodeVersion}`);
 			}
+
+			if (tokenResult.kind === 'failure' && tokenResult.reason === 'NotAuthorized' && !tokenResult.notification_id) {
+				this._logService.info('Copilot token exchange failed (workspace token cannot be exchanged for Copilot token), triggering sign-in flow');
+				return { kind: 'failure', reason: 'GitHubLoginFailed' };
+			}
+
 			return tokenResult;
 		} else {
 			this._logService.info(`Allowing anonymous access with devDeviceId`);

code/src/vs/workbench/contrib/chat/browser/chatSetup/chatSetupContributions.ts

@@ -138,6 +138,25 @@ export class ChatSetupContribution extends Disposable implements IWorkbenchContr
 							}));
 						}
 
+						// Proactively clear panel agents when Copilot reports GitHub login failure
+						// (e.g. workspace PAT cannot be exchanged for a Copilot token)
+						const gitHubLoginFailedKey = 'github.copilot.interactiveSession.gitHubLoginFailed';
+						const checkGitHubLoginFailed = () => {
+							if (this.contextKeyService.getContextKeyValue<boolean>(gitHubLoginFailedKey)) {
+								const panelAgentHasGuidance = chatViewsWelcomeRegistry.get().some(descriptor => this.contextKeyService.contextMatchesRules(descriptor.when));
+								if (panelAgentHasGuidance) {
+									this.logService.error('[chat setup] GitHub login failed detected, clearing panel agent registration to show welcome view.');
+									panelAgentDisposables.dispose();
+								}
+							}
+						};
+						panelAgentDisposables.add(this.contextKeyService.onDidChangeContext(e => {
+							if (e.affectsSome(new Set([gitHubLoginFailedKey]))) {
+								checkGitHubLoginFailed();
+							}
+						}));
+						checkGitHubLoginFailed();
+
 						// Inline Agents
 						disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.Terminal, ChatModeKind.Ask, context, controller).disposable);
 						disposables.add(SetupAgent.registerDefaultAgents(this.instantiationService, ChatAgentLocation.Notebook, ChatModeKind.Ask, context, controller).disposable);