Enable BYOK in air-gapped scenarios/without GitHub auth#317428
Merged
Conversation
Co-authored-by: Copilot <copilot@github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates VS Code’s Copilot Chat integration to better support BYOK (bring-your-own-key) usage in air‑gapped / signed-out scenarios by avoiding hard dependencies on GitHub authentication for parts of the extension that don’t strictly require it.
Changes:
- Adjusts sign-in UI surfacing and welcome messaging so BYOK availability suppresses GitHub-auth-specific warnings.
- Adds “no GitHub auth” guards/fallbacks in Copilot extension components (model metadata fetch, embeddings, prompt JSON rendering).
- Changes conversation feature activation logic to allow activation when non-Copilot (BYOK) chat models are present.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/chat/browser/chatSetup/chatSetupContributions.ts | Tweaks Accounts menu sign-in action label/visibility logic. |
| extensions/copilot/src/platform/endpoint/node/modelMetadataFetcher.ts | Stops model metadata fetch when Copilot token acquisition fails (BYOK-only). |
| extensions/copilot/src/platform/embeddings/common/remoteEmbeddingsComputer.ts | Adds early auth guard for remote embeddings requests. |
| extensions/copilot/src/extension/prompts/node/base/promptRenderer.ts | Falls back to a stub endpoint when utility model resolution fails during JSON rendering. |
| extensions/copilot/src/extension/prompt/node/chatMLFetcher.ts | Loosens Copilot token dependency for BYOK endpoints (but see comments). |
| extensions/copilot/src/extension/conversation/vscode-node/languageModelAccess.ts | Prevents registering LM/embeddings features without a GitHub session. |
| extensions/copilot/src/extension/conversation/vscode-node/conversationFeature.ts | Activates conversation features based on BYOK model presence; adds auth gating for search providers (but contains issues). |
| extensions/copilot/src/extension/conversation/vscode-node/chatParticipants.ts | Avoids resolving the utility endpoint unless a quota fallback is needed. |
| extensions/copilot/src/extension/chatSessions/copilotcli/node/copilotCli.ts | Skips CLI model fetch without a GitHub session. |
| extensions/copilot/src/extension/authentication/vscode-node/authentication.contribution.ts | Alters permissive-auth upgrade flow behavior when signed out. |
| extensions/copilot/package.json | Hides Copilot auth-related welcome messages when BYOK models are present. |
Copilot's findings
Comments suppressed due to low confidence (1)
extensions/copilot/src/extension/conversation/vscode-node/conversationFeature.ts:222
- Same typo here:
anyGithubSessionshould beanyGitHubSessionto match the authentication service API and avoid a compile error.
// Don't register for no auth user or or BYOK-only users
if (!this.authenticationService.anyGithubSession || this.authenticationService.copilotToken?.isNoAuthUser) {
this.logService.debug('ConversationFeature: Skipping settings search provider registration - no GitHub session available');
return;
- Files reviewed: 11/11 changed files
- Comments generated: 6
dmitrivMS
changed the title
This was referenced May 20, 2026
Closed
Co-authored-by: Copilot <copilot@github.com>
dmitrivMS
changed the title
vritant24
reviewed
May 20, 2026
vritant24
reviewed
May 20, 2026
Contributor
|
Base:
|
Co-authored-by: Copilot <copilot@github.com>
vritant24
previously approved these changes
May 20, 2026
…ithout GitHub sign-in.
Co-authored-by: Copilot <copilot@github.com>
vritant24
approved these changes
May 20, 2026
|
how to use this feature |
|
Contributor
|
Cross-posting from #246551 (comment)
|
dmitrivMS
added a commit
that referenced
this pull request
May 23, 2026
…#318092) * Fix BYOK regression for non-OAuth Copilot token pathways Introduce hasCopilotTokenSource on IAuthenticationService, defaulted to !!anyGitHubSession in BaseAuthenticationService and overridden to true in StaticGitHubAuthenticationService (proxy/HMAC, eval harness). Replace PR-introduced anyGitHubSession guards added in #317428 at sites that gate on 'can we mint a Copilot token?' so the eval proxy pathway is no longer short-circuited: - languageModelAccess._getToken - authentication.contribution.waitForChatEnabled - copilotCli (3 sites) - remoteEmbeddingsComputer Group-B sites that intentionally gate on a real signed-in GitHub user (conversationFeature search/intent provider registration, byokUtilityModel notification) keep using anyGitHubSession. * PR feedback: clarify log message; fall back to empty embeddings in proxy scenarios - Update languageModelAccess log to say 'Copilot token source' (matches the new gate). - In remoteEmbeddingsComputer, return empty embeddings instead of throwing when the Dotcom path lacks a GitHub access token (proxy/HMAC eval harness), matching the rest of the function's empty-fallback behavior.
This was referenced May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Air-gapped BYOK: enable chat and some other AI functionality when user is not authenticated (with or without utility models enabled).
Fixes #246551
Fixes #275591
Fixes #313461
Fixes #272843
Related #294708
Fixes https://github.com/microsoft/vscode-internalbacklog/issues/7044
Related https://github.com/microsoft/vscode-internalbacklog/issues/5892