Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Spurious Copilot token validation WARNING when GITHUB_TOKEN=ghp_* is set but copilot is not configured [2 pull requests]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

When GITHUB_TOKEN (or GH_TOKEN) is set to a Classic PAT (ghp_*) in the environment, Hermes logs a WARNING on every auxiliary task resolution (vision, approval, title generation, etc.):

WARNING hermes_cli.auth: Copilot token validation failed: Token from `gh auth token` is a classic PAT (ghp_*). Classic Personal Access Tokens (ghp_*) are not supported by the Copilot API.

This happens even when the user has never configured copilot as a provider and is using a custom endpoint (e.g. custom:openclaw-router). The warning can appear 20+ times per session, polluting errors.log.

Error Message

if provider_id == "copilot": try: from hermes_cli.auth import is_provider_explicitly_configured if not is_provider_explicitly_configured("copilot"): continue except ImportError: pass

Root Cause

In agent/auxiliary_client.py, _resolve_api_key_provider() iterates all providers in PROVIDER_REGISTRY unconditionally. When it reaches copilot, it calls resolve_copilot_token() which discovers the GITHUB_TOKEN env var, finds it's a Classic PAT, and raises ValueError — logged as WARNING.

The anthropic provider already has a gate for this exact pattern:

if provider_id == "anthropic":
    if not is_provider_explicitly_configured("anthropic"):
        continue

But copilot does not, so any user with GITHUB_TOKEN=ghp_* in their environment (common in CI/CD, dev servers, or GitHub Actions runners) gets spammed.

Fix Action

Fixed

Code Example

WARNING hermes_cli.auth: Copilot token validation failed: Token from `gh auth token` is a classic PAT (ghp_*). Classic Personal Access Tokens (ghp_*) are not supported by the Copilot API.

---

if provider_id == "anthropic":
    if not is_provider_explicitly_configured("anthropic"):
        continue

---

if provider_id == "copilot":
    try:
        from hermes_cli.auth import is_provider_explicitly_configured
        if not is_provider_explicitly_configured("copilot"):
            continue
    except ImportError:
        pass
RAW_BUFFERClick to expand / collapse

Summary

When GITHUB_TOKEN (or GH_TOKEN) is set to a Classic PAT (ghp_*) in the environment, Hermes logs a WARNING on every auxiliary task resolution (vision, approval, title generation, etc.):

WARNING hermes_cli.auth: Copilot token validation failed: Token from `gh auth token` is a classic PAT (ghp_*). Classic Personal Access Tokens (ghp_*) are not supported by the Copilot API.

This happens even when the user has never configured copilot as a provider and is using a custom endpoint (e.g. custom:openclaw-router). The warning can appear 20+ times per session, polluting errors.log.

Root Cause

In agent/auxiliary_client.py, _resolve_api_key_provider() iterates all providers in PROVIDER_REGISTRY unconditionally. When it reaches copilot, it calls resolve_copilot_token() which discovers the GITHUB_TOKEN env var, finds it's a Classic PAT, and raises ValueError — logged as WARNING.

The anthropic provider already has a gate for this exact pattern:

if provider_id == "anthropic":
    if not is_provider_explicitly_configured("anthropic"):
        continue

But copilot does not, so any user with GITHUB_TOKEN=ghp_* in their environment (common in CI/CD, dev servers, or GitHub Actions runners) gets spammed.

Reproduction

  1. Set GITHUB_TOKEN=ghp_xxxxx in the environment (or have gh auth token return a classic PAT)
  2. Configure a non-copilot provider (e.g. custom:my-endpoint)
  3. Start Hermes, trigger any auxiliary task (vision analysis, approval, etc.)
  4. Check errors.log — WARNING appears on every resolution cycle

Expected Behavior

Don't probe copilot credentials (and don't warn) when copilot is not explicitly configured by the user. Match the anthropic gate pattern.

Suggested Fix

Add a gate in _resolve_api_key_provider() (agent/auxiliary_client.py, around line 1412):

if provider_id == "copilot":
    try:
        from hermes_cli.auth import is_provider_explicitly_configured
        if not is_provider_explicitly_configured("copilot"):
            continue
    except ImportError:
        pass

Environment

  • Hermes agent: latest main
  • Config: provider: custom, no copilot-related config
  • Env: GITHUB_TOKEN=ghp_* (classic PAT from gh auth token)

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix Spurious Copilot token validation WARNING when GITHUB_TOKEN=ghp_* is set but copilot is not configured [2 pull requests]