Support engine.auth for Azure OpenAI GitHub OIDC workflows

[Copilot]

Bug Fix

What was the bug?

Workflows using Azure OpenAI OIDC under engine.auth failed schema validation because engine.auth was not recognized.
As a result, users had to manually inject AWF_AUTH_* vars via engine.env instead of using structured auth config.

How did you fix it?

• Schema support (engine.auth)

  • Added engine.auth to the object-with-id engine schema in main_workflow_schema.json.
  • Supported fields:
    • type (github-oidc)
    • audience
    • azure-tenant-id
    • azure-client-id
    • azure-scope
    • azure-cloud

• Engine auth parsing + env mapping

  • Extended engine config parsing to read engine.auth.
  • Mapped parsed auth fields into AWF sidecar env vars via existing engine env propagation:
    • AWF_AUTH_TYPE
    • AWF_AUTH_OIDC_AUDIENCE
    • AWF_AUTH_AZURE_TENANT_ID
    • AWF_AUTH_AZURE_CLIENT_ID
    • AWF_AUTH_AZURE_SCOPE
    • AWF_AUTH_AZURE_CLOUD
  • Defined precedence so user-provided engine.env values win when the same AWF_AUTH_* keys are set explicitly.

• Permission guard for OIDC

  • Added compiler validation: when engine.auth.type: github-oidc is set, permissions.id-token: write is required.
  • Emits a compile error if missing.

• Targeted coverage updates

  • Added/updated tests for:
    • schema structure expectations (engine.auth present on engine object variant),
    • engine auth extraction + AWF_AUTH_* mapping,
    • precedence behavior (engine.env overrides engine.auth-derived AWF_AUTH_* values),
    • permission validation for github-oidc requiring id-token: write.

Testing

Behavior now supports the intended frontmatter directly (without manual AWF_AUTH_* wiring in engine.env):

permissions:
  id-token: write

engine:
  id: copilot
  env:
    COPILOT_PROVIDER_BASE_URL: https://my-resource.openai.azure.com
    COPILOT_PROVIDER_TYPE: azure
    COPILOT_MODEL: gpt-4.1
  auth:
    type: github-oidc
    audience: https://cognitiveservices.azure.com

[Copilot]

Pull request overview

Adds first-class support for engine.auth in workflows to enable Azure OpenAI GitHub OIDC setups without manual AWF_AUTH_* wiring, including schema updates, engine config parsing/env mapping, and a compiler permission guard requiring permissions.id-token: write when engine.auth.type: github-oidc is used.

Changes:

• Extended the workflow JSON schema to allow engine.auth on the engine: { id: ... } variant.
• Added engine parsing for engine.auth and mapped fields to AWF_AUTH_* env vars.
• Added compiler validation enforcing permissions.id-token: write when engine.auth.type is github-oidc, with accompanying tests.

Show a summary per file

File	Description
pkg/workflow/permissions_compiler_validator.go	Adds validation to require permissions.id-token: write when engine auth uses GitHub OIDC.
pkg/workflow/engine.go	Introduces EngineAuthConfig, parses engine.auth, and maps it into AWF_AUTH_* env vars.
pkg/workflow/engine_config_test.go	Adds test coverage for engine.auth parsing and env var mapping.
pkg/workflow/engine_catalog_test.go	Updates schema/catalog expectation tests to ensure engine.auth is present.
pkg/workflow/compiler_validators_test.go	Adds tests for the new permission requirement behavior.
pkg/parser/schemas/main_workflow_schema.json	Adds engine.auth object schema (type/audience/Azure fields) to the engine object-with-id variant.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 2

[pelikhan]

@copilot merge main, review all comments recompile

[Copilot]

@copilot merge main, review all comments recompile

Done. Merged main in 8a6341e88d, addressed the review follow-ups in f43b15a15b and 6ac9611a89, and recompiled (make recompile) with targeted tests passing.