Upgrade GitHub Copilot CLI to 0.0.340 and implement ${} syntax for MCP environment variables

[Copilot]

Copilot CLI Upgrade to 0.0.340

Summary

Upgrading GitHub Copilot CLI from version 0.0.339 to 0.0.340 and implementing the breaking change for MCP server environment variable configuration.

Changes Completed

• Update DefaultCopilotVersion constant from "0.0.339" to "0.0.340"
• Update renderSafeOutputsCopilotMCPConfig to use ${VAR} syntax for env var references
  • Changed GITHUB_AW_SAFE_OUTPUTS to use \${GITHUB_AW_SAFE_OUTPUTS}
  • Changed GITHUB_AW_SAFE_OUTPUTS_CONFIG to use \${GITHUB_AW_SAFE_OUTPUTS_CONFIG}
• Add GITHUB_PERSONAL_ACCESS_TOKEN environment variable configuration
  • Define in Setup MCPs step env section
  • Use passthrough pattern in GitHub MCP server env section
  • Update docker args to reference env var without inline value
• Fix test expectations for GITHUB_AW_SAFE_OUTPUTS_CONFIG
• Run unit tests - all passing ✅
• Recompile workflows with new version ✅
• Run formatter - no issues ✅
• Run linter - all checks pass ✅

Implementation Details

Breaking Change: MCP Environment Variables

Copilot CLI 0.0.340 introduces a breaking change in how environment variables are handled in MCP server configurations:

Before (0.0.339):

• Environment variable values were treated as environment variable names to look up
• Example: "VAR": "ENV_NAME" would look up ENV_NAME and pass its value

After (0.0.340):

• Environment variable values are treated as literal strings by default
• To reference environment variables, use ${VAR_NAME} syntax
• Example: "VAR": "${ENV_NAME}" looks up ENV_NAME and passes its value

GitHub MCP Server Configuration

The GitHub MCP server now uses the NAME=NAME pattern with ${GITHUB_PERSONAL_ACCESS_TOKEN}:

Setup MCPs Step:

env:
  GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
  GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
  GITHUB_AW_SAFE_OUTPUTS_CONFIG: "{...}"

Docker Arguments (Local Mode):

args: [
  "run", "-i", "--rm",
  "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",  # Just the var name, not value
  "-e", "GITHUB_TOOLSETS=all",
  "ghcr.io/github/github-mcp-server:v0.18.0"
]

MCP Server Env Section:

"env": {
  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_PERSONAL_ACCESS_TOKEN}"
}

Remote Mode (HTTP):

"headers": {
  "Authorization": "******"
},
"env": {
  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_PERSONAL_ACCESS_TOKEN}"
}

This ensures the environment variable flows through the system:

1. GitHub Actions sets GITHUB_PERSONAL_ACCESS_TOKEN in the step env
2. Docker receives the env var via -e GITHUB_PERSONAL_ACCESS_TOKEN
3. MCP server config uses ${GITHUB_PERSONAL_ACCESS_TOKEN} to reference it
4. Copilot CLI expands ${GITHUB_PERSONAL_ACCESS_TOKEN} when launching the MCP server

Files Modified

• pkg/constants/constants.go - Updated version constant
• pkg/workflow/copilot_engine.go - Updated MCP env var syntax for safe-outputs and GitHub MCP
• pkg/workflow/mcps.go - Added GITHUB_PERSONAL_ACCESS_TOKEN to Setup MCPs env section
• pkg/workflow/copilot_engine_test.go - Updated test expectations
• pkg/workflow/github_remote_mode_test.go - Updated test for new ${} syntax
• pkg/workflow/mcp_config_compilation_test.go - Fixed test to find correct env section
• pkg/workflow/safe_output_helpers_test.go - Fixed test expectations for GITHUB_AW_SAFE_OUTPUTS_CONFIG
• All *.lock.yml workflow files - Recompiled with new version and configuration

Testing

• ✅ All unit tests passing
• ✅ Code formatting verified
• ✅ Linting successful
• ✅ Workflow compilation successful

Notes

• The NAME=NAME pattern (GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_PERSONAL_ACCESS_TOKEN}") ensures consistency
• Custom GitHub tokens are also supported via the same passthrough mechanism
• Claude Code and Codex engines are unaffected by this change

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[ca] Update GitHub Copilot CLI to 0.0.340</issue_title>
<issue_description># Update GitHub Copilot CLI to 0.0.340

This PR updates the GitHub Copilot CLI from version 0.0.339 to 0.0.340.

Version Change Summary

• Previous Version: 0.0.339
• New Version: 0.0.340
• Release Date: October 13, 2025 (21:36:11 UTC)
• Days Since Previous Release: ~3 days (0.0.339 released October 10, 2025)

Changes in 0.0.340

Breaking Changes

MCP Server Environment Variable Configuration - Customers who have configured MCP Servers will need to update their ~/.copilot/mcp-config.json:

• Environment variable values in the env section are now treated as literal values by default
• To reference environment variables, prefix the value with $ and wrap in ${}
• Example: Change "GITHUB_ACCESS_TOKEN": "GITHUB_TOKEN" to "GITHUB_ACCESS_TOKEN": "${GITHUB_TOKEN}"

New Features

1. Path Approval Prompt in -p Mode
   • Added a prompt to approve new paths when using -p mode
   • New --allow-all-paths argument to automatically approve all path access

Bug Fixes

1. Windows Support Improvements

   • Removed the "Windows support is experimental" warning
   • Significant improvements to Windows support over the past two weeks

2. Debugging Enhancements

   • Improved debugging by including Copilot API request ID for model call errors
   • Added stack traces for client errors

3. Tool Call Handling

   • Fixed issue where consecutive orphaned tool calls led to "Each tool_use block must have a corresponding tool_result block in the next message" error
   • Fixes: {"message":"messages.78: tool_use ids were found without tool_result blocks immediately after: toolu_013Ar6KT5dwjTY6oNdZqZ7bJ. Each tool_use block must have a corresponding tool_result block in the next message.","code":"invalid_request_body"} copilot-cli#102

Performance

No performance improvements explicitly mentioned in this release.

Security

No security updates explicitly mentioned in this release.

Impact Assessment

Risk Level: Low

Affected Features

1. MCP Server Configuration (Breaking)

   • Users with custom MCP server configurations need to update their ~/.copilot/mcp-config.json
   • Migration required for anyone using environment variables in MCP server configuration

2. Path Access Control (Enhancement)

   • New security feature for path approval in -p mode
   • Improves user control over file system access

3. Windows Users (Improvement)

   • Better Windows support experience
   • No longer experimental

Migration Required: Yes (for MCP users only)

Users who have configured MCP Servers with environment variables in the env section must:

1. Open ~/.copilot/mcp-config.json
2. For each environment variable reference, change from "KEY": "ENV_VAR" to "KEY": "${ENV_VAR}"

Example:

// Before
{
  "env": {
    "GITHUB_ACCESS_TOKEN": "GITHUB_TOKEN"
  }
}

// After
{
  "env": {
    "GITHUB_ACCESS_TOKEN": "${GITHUB_TOKEN}"
  }
}

Release Timeline

• v0.0.339: October 10, 2025 (20:16:43 UTC)
• v0.0.340: October 13, 2025 (21:36:11 UTC)
• Update Interval: ~3 days

Changelog Links

• Release Notes: https://github.com/github/copilot-cli/releases/tag/v0.0.340
• NPM Package: (redacted)
• Full Changelog: github/copilot-cli@v0.0.339...v0.0.340

Files Changed

• pkg/constants/constants.go - Updated DefaultCopilotVersion constant
• .github/workflows/*.lock.yml - Recompiled workflow files with new version

Testing

• ✅ make recompile completed successfully
• ✅ All workflow lock files regenerated without errors
• ✅ No compilation errors or warnings

Recommendation

Approve and merge - This is a minor update with important bug fixes (especially the tool call handling fix) and Windows support improvements. The breaking change for MCP server configuration is well-documented and only affects users who have custom MCP server configurations with environment variables.

---

🤖 Generated with Claude Code

AI generated by CLI Version Checker

---

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available as an artifact (aw.patch) in the workflow run linked above.
To apply the patch locally:

# Download the artifact from the workflow run https://github.com/githubnext/gh-aw/actions/runs/18479556249
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 18479556249 -n aw.patch
# Apply the patch
git am aw.patch

Show patch preview (310 of 310 lines)

From 052e980391ae136bb416b1df09fe4793a4499a3e Mon Sep 17 00:00:00 2001
From: CLI Version Checker <github-actions[bot]@users.noreply.github.com>
Date: Mon, 13 Oct 2025 22:18:06 +0000
Subject: [PATCH] Update GitHub Copilot CLI to version ...

</details>

Fixes githubnext/gh-aw#1652

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/githubnext/gh-aw/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Agentic Changeset Generator triggered by this pull request

[pelikhan]

@copilot add code in the mcp server configuration step to:

• define the environment variable GITHUB_PERSONAL_ACCESS_TOKEN as a github action env var (custom or secrets.GH_AW_GITHUB_TOKEN
• configure GITHUB_PERSONAL_ACCESS_TOKEN in the env section as passthorugh GITHUB_PERSONAL_ACCESS_TOKEN: "${GITHUB_PERSONAL_ACCESS_TOKEN }"
• use the GITHUB_PERSONAL_ACCESS_TOKEN env var in the Authorization header, and arguments using the ${GITHUB_PERSONAL_ACCESS_TOKEN} syntax.

[Copilot]

@copilot add code in the mcp server configuration step to:

• define the environment variable GITHUB_PERSONAL_ACCESS_TOKEN as a github action env var (custom or secrets.GH_AW_GITHUB_TOKEN
  ...

Done. Added GITHUB_PERSONAL_ACCESS_TOKEN environment variable configuration with the ${} passthrough pattern:

1. Setup MCPs env: Defines GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
2. Docker args: References as -e GITHUB_PERSONAL_ACCESS_TOKEN (without inline value)
3. MCP env section: Uses passthrough "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_PERSONAL_ACCESS_TOKEN}"
4. Authorization header (remote mode): Uses "Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"

Commit: Short hash will be included after push completes.

@copilot add code in the mcp server configuration step to:

• define the environment variable GITHUB_PERSONAL_ACCESS_TOKEN as a github action env var (custom or secrets.GH_AW_GITHUB_TOKEN
  ...

Done in commit 43a958e. Added GITHUB_PERSONAL_ACCESS_TOKEN environment variable configuration with the ${} passthrough pattern:

1. Setup MCPs env: Defines GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
2. Docker args: References as -e GITHUB_PERSONAL_ACCESS_TOKEN (without inline value)
3. MCP env section: Uses passthrough "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_PERSONAL_ACCESS_TOKEN}"
4. Authorization header (remote mode): Uses "Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"

[pelikhan]

@copilot fix tests

[Copilot]

@copilot fix tests

Fixed in commit (will update after push). Updated test expectations in safe_output_helpers_test.go to account for GITHUB_AW_SAFE_OUTPUTS_CONFIG being added unconditionally by the applySafeOutputEnvToMap function. All tests now pass.

@copilot fix tests

Fixed in commit 0d85f9b. Updated test expectations in safe_output_helpers_test.go to account for GITHUB_AW_SAFE_OUTPUTS_CONFIG being added unconditionally by the applySafeOutputEnvToMap function. All tests now pass.