feat: enhance GitHub authentication with direct token support and improved fallback methods

Author: DevelopmentCats

registry/coder-labs/modules/copilot-cli/README.md

@@ -27,9 +27,9 @@ module "copilot_cli" {
 - **Node.js v22+** and **npm v10+**
 - **Active Copilot subscription** (GitHub Copilot Pro, Pro+, Business, or Enterprise)
 - **GitHub authentication** via one of:
+  - Direct token via `github_token` variable (highest priority)
   - Coder external authentication (recommended)
   - GitHub CLI (`gh auth login`)
-  - Environment token (`GITHUB_TOKEN`)
   - Or use interactive login in Copilot CLI
 
 ## Examples
@@ -80,6 +80,20 @@ module "copilot_cli" {
 }
 ```
 
+### Direct Token Authentication
+
+Use a GitHub token directly (OAuth token or Personal Access Token):
+
+```tf
+module "copilot_cli" {
+  source       = "registry.coder.com/coder-labs/copilot-cli/coder"
+  version      = "1.0.0"
+  agent_id     = coder_agent.example.id
+  workdir      = "/home/coder/project"
+  github_token = "your_github_token_here" # Or use data.coder_external_auth.github.access_token
+}
+```
+
 ### Standalone Mode
 
 Run and configure Copilot CLI as a standalone tool in your workspace.
@@ -144,17 +158,24 @@ module "copilot_cli" {
 
 ## Authentication
 
-This module works with multiple GitHub authentication methods:
+This module works with multiple GitHub authentication methods in priority order:
+
+**1. Direct Token (highest priority):**
+
+- **`github_token` variable**: Provide a GitHub OAuth token or Personal Access Token directly to the module
 
-**Recommended (automatic):**
-- **Coder External Auth**: Configure GitHub external authentication in Coder for seamless OAuth token integration
-- **GitHub CLI**: Users can run `gh auth login` in their workspace
+**2. Automatic detection:**
+
+- **Coder External Auth**: OAuth tokens from GitHub external authentication configured in Coder
+- **GitHub CLI**: OAuth tokens from `gh auth login` in the workspace
+
+**3. Interactive fallback:**
 
-**Automatic fallback:**
-- **Environment tokens**: Uses existing `GITHUB_TOKEN` if available (note: Personal Access Tokens may not work with all Copilot CLI features)
 - **Interactive login**: If no authentication is found, Copilot CLI will prompt users to login via the `/login` slash command
 
-**No setup required** - the module automatically detects and uses whatever authentication is available.
+**No setup required** for automatic methods - the module detects and uses whatever authentication is available.
+
+> **Note**: OAuth tokens work best with Copilot CLI. Personal Access Tokens may have limited functionality.
 
 ## Troubleshooting
 

registry/coder-labs/modules/copilot-cli/main.tf

@@ -24,6 +24,13 @@ variable "external_auth_id" {
   default     = "github"
 }
 
+variable "github_token" {
+  type        = string
+  description = "GitHub OAuth token or Personal Access Token. If provided, this will be used instead of auto-detecting authentication."
+  default     = ""
+  sensitive   = true
+}
+
 variable "copilot_model" {
   type        = string
   description = "Model to use. Supported values: claude-sonnet-4 (default), claude-sonnet-4.5, gpt-5."
@@ -188,6 +195,13 @@ resource "coder_env" "copilot_model" {
   value    = var.copilot_model
 }
 
+resource "coder_env" "github_token" {
+  count    = var.github_token != "" ? 1 : 0
+  agent_id = var.agent_id
+  name     = "GITHUB_TOKEN"
+  value    = var.github_token
+}
+
 
 
 module "agentapi" {

registry/coder-labs/modules/copilot-cli/scripts/install.sh

@@ -51,6 +51,11 @@ install_copilot_cli() {
 check_github_authentication() {
   echo "Checking GitHub authentication..."
 
+  if [ -n "$GITHUB_TOKEN" ]; then
+    echo "✓ GitHub token provided via module configuration"
+    return 0
+  fi
+
   if command_exists coder; then
     if coder external-auth access-token "${ARG_EXTERNAL_AUTH_ID:-github}" > /dev/null 2>&1; then
       echo "✓ GitHub OAuth authentication via Coder external auth"
@@ -63,12 +68,6 @@ check_github_authentication() {
     return 0
   fi
 
-  if [ -n "$GITHUB_TOKEN" ]; then
-    echo "✓ GitHub token found in environment"
-    echo "  Note: Copilot CLI works best with OAuth tokens from Coder external auth or 'gh auth login'"
-    return 0
-  fi
-
   echo "⚠ No GitHub authentication detected"
   echo "  Copilot CLI will prompt for authentication when started"
   echo "  For seamless experience, configure GitHub external auth in Coder or run 'gh auth login'"

registry/coder-labs/modules/copilot-cli/scripts/start.sh

@@ -84,10 +84,18 @@ configure_copilot_model() {
 
 setup_github_authentication() {
   echo "Setting up GitHub authentication..."
-  
+
+  # Check for provided token first (highest priority)
+  if [ -n "$GITHUB_TOKEN" ]; then
+    export GH_TOKEN="$GITHUB_TOKEN"
+    echo "✓ Using GitHub token from module configuration"
+    return 0
+  fi
+
+  # Try external auth
   if command_exists coder; then
     local github_token
-    if github_token=$(coder external-auth access-token "${ARG_EXTERNAL_AUTH_ID:-github}" 2>/dev/null); then
+    if github_token=$(coder external-auth access-token "${ARG_EXTERNAL_AUTH_ID:-github}" 2> /dev/null); then
       if [ -n "$github_token" ] && [ "$github_token" != "null" ]; then
         export GITHUB_TOKEN="$github_token"
         export GH_TOKEN="$github_token"
@@ -96,25 +104,17 @@ setup_github_authentication() {
       fi
     fi
   fi
-  
+
   # Try GitHub CLI as fallback
   if command_exists gh && gh auth status > /dev/null 2>&1; then
     echo "✓ Using GitHub CLI OAuth authentication"
     return 0
   fi
-  
-  # Use existing environment variable if present
-  if [ -n "$GITHUB_TOKEN" ]; then
-    export GH_TOKEN="$GITHUB_TOKEN"
-    echo "✓ Using GitHub token from environment"
-    echo "  Note: If this is a Personal Access Token, Copilot CLI may not work properly"
-    return 0
-  fi
-  
+
   echo "⚠ No GitHub authentication available"
   echo "  Copilot CLI will prompt for login during first use"
   echo "  Use the '/login' command in Copilot CLI to authenticate"
-  return 0  # Don't fail - let Copilot CLI handle authentication
+  return 0 # Don't fail - let Copilot CLI handle authentication
 }
 
 start_agentapi() {