Fix permissions syntax in workflow YAML#2582
Open
Seli-Kasela wants to merge 311 commits into
Open
Conversation
Add a Windows/CLI note that `claude mcp add-json` may return "Invalid input" when adding an HTTP server, and point users to the legacy `claude mcp add --transport http ...` format. Also add a Windows (PowerShell) example for the legacy command when the CLI expects the MCP server name immediately after `claude mcp add`.
Previously, generateInstructions() iterated over AvailableToolsets() which returns all toolsets that have tools defined, rather than only the enabled toolsets based on WithToolsets() configuration. This caused instructions for all toolsets to be included regardless of which toolsets were actually enabled, leading to bloated instructions (e.g., 5886 chars vs 1226 chars when only 'repos' toolset is enabled). Changes: - Add EnabledToolsets() method to return only enabled toolset metadata - Update generateInstructions() to use EnabledToolsets() - Add regression test for the fix Fixes github#1897
Updates to v2.2.0 which includes server instructions diff support for detecting issues like github#1897.
Add toolsets-context and toolsets-issues,context configurations to improve test coverage for instruction generation with different toolset combinations.
Bumps [SamMorrowDrums/mcp-server-diff](https://github.com/sammorrowdrums/mcp-server-diff) from 2.2.0 to 2.3.5. - [Release notes](https://github.com/sammorrowdrums/mcp-server-diff/releases) - [Commits](SamMorrowDrums/mcp-server-diff@v2.2.0...v2.3.5) --- updated-dependencies: - dependency-name: SamMorrowDrums/mcp-server-diff dependency-version: 2.3.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps golang from 1.25.4-alpine to 1.25.6-alpine. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.6-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
- Extract storeLine() and accumulate() helper closures to eliminate duplicated line processing and truncation logic - Simplify main loop by using early return pattern (newlineIdx < 0 -> break) - Add test for empty response body edge case - Add test for exact maxLineSize boundary condition (10MB) The refactored code reduces nesting and makes the flow clearer: accumulate handles byte collection with truncation detection, storeLine handles ring buffer storage with truncation markers.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Update snapshots There was a change on `main` before I changed anything * feat: add add_reply_to_pull_request_comment tool Add a new tool that allows AI agents to reply to existing pull request comments. This tool uses GitHub's CreateCommentInReplyTo REST API to create threaded conversations on pull requests. Features: Reply to any existing PR comment using its ID Proper error handling for missing parameters and API failures Comprehensive test coverage (8 test cases) Follows project patterns and conventions Registered in pull_requests toolset as a write operation Parameters: owner: Repository owner (required) repo: Repository name (required) pullNumber: Pull request number (required) commentId: ID of comment to reply to (required) body: Reply text content (required) This tool complements the existing add_comment_to_pending_review tool by enabling responses to already-posted comments, enhancing AI-powered code review workflows. Closes: github#635 * Update README * fix types --------- Co-authored-by: tommaso-moro <tommaso-moro@github.com> Co-authored-by: Tommaso Moro <37270480+tommaso-moro@users.noreply.github.com> Co-authored-by: plaskowski <1999603+plaskowski@users.noreply.github.com> Co-authored-by: Rob Emanuele <2320142+lossyrob@users.noreply.github.com>
Adds new `http` command supporting Streamable HTTP support, OAuth Metadata handler and Scope filtering. Co-authored-by: kerobbi <kerobbi@github.com> Co-authored-by: Matt Holloway <mattdholloway@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* improve copilot cli installation doc * revert custom config intro * apply copilot suggestion
Bumps [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases) - [Commits](modelcontextprotocol/go-sdk@v1.2.0...v1.3.0) --- updated-dependencies: - dependency-name: github.com/modelcontextprotocol/go-sdk dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Auto-generated by license-check workflow
Bumps golang from 1.25.6-alpine to 1.25.7-alpine. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.7-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@4907a6d...650006c) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@4d04d5d...d7f5e7f) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.1.0 to 7.2.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@bcafcac...f9f3042) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.5 to 5.3.0. - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.2.5...v5.3.0) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Auto-generated by license-check workflow
Bumps github.com/modelcontextprotocol/go-sdk from v1.6.0 to v1.6.1 and removes the CrossOriginProtection bypass we previously installed on the StreamableHTTP handler. As of go-sdk v1.6.0 the cross-origin check is opt-in: a nil CrossOriginProtection on StreamableHTTPOptions means no check is run. v1.6.1 also marks the field itself as deprecated (the SDK recommends wrapping the handler with middleware instead, and the field will be removed in v1.8.0). This server authenticates via bearer tokens, not cookies, so the Sec-Fetch-Site CSRF check is unnecessary and would block browser-based MCP clients. Leaving CrossOriginProtection unset preserves that behavior without depending on a deprecated API. Supersedes github#2541. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* I want to enable only ifc * Fix tests
Adds a source-level (AST) validation test that walks every non-test Go file in pkg/github and fails if any mcp.Tool composite literal omits Annotations.ReadOnlyHint. The existing TestAllToolsHaveRequiredMetadata can only assert that Annotations is non-nil at runtime: Go cannot distinguish an unset bool field from one explicitly set to false. The new test closes that gap so future read-intent tools cannot silently default to ReadOnlyHint=false, which has caused downstream agents to prompt for human approval on safe read operations. All 97 current mcp.Tool registrations pass. Fault-injected by removing ReadOnlyHint from issue_read and confirmed the test reports the exact file, line, tool name, and reason. Refs github#2483
- Resolve each file's local alias for github.com/modelcontextprotocol/go-sdk/mcp via file.Imports rather than hard-coding the "mcp" qualifier, so the check also covers files that import the SDK under a non-default alias. - Detect positional (unkeyed) composite literals and report a dedicated diagnostic instead of producing misleading "missing field" violations. - Drop the brittle 'expected to discover at least one mcp.Tool literal' assertion: if registrations move behind constructors/factories the AST walker legitimately finds nothing. - Use strconv.Unquote to decode tool-name string literals (handles escapes in interpreted strings); fall back to the raw lexeme on parse error.
…package Move the AST-based ReadOnlyHint scan introduced in github#2486 out of pkg/github's test file and into a new exported package, pkg/toolvalidation, so downstream consumers (notably github/github-mcp-server-remote, which uses this repo as a library) can apply the same guardrail to their own tool registrations with a one-line test: violations, err := toolvalidation.ScanReadOnlyHint(pkgDir) Changes: - New pkg/toolvalidation/readonlyhint.go with ScanReadOnlyHint, FormatReadOnlyHintViolations, and the ReadOnlyHintViolation type. - Dedicated unit tests for the scanner using in-memory fixtures (compliant, missing-hint, missing-annotations, non-literal, aliased import, positional fields, file without mcp import). - pkg/github/tools_static_validation_test.go shrunk to a thin wrapper that calls ScanReadOnlyHint against its own package directory; the existing behavior for pkg/github is preserved. No production-code, schema, or toolsnap changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The remote/HTTP server never called RegisterUIResources, so when the remote_mcp_ui_apps feature flag was enabled per-request, tools like issue_write and create_pull_request would advertise a ui:// resource URI in their _meta.ui block but the resource itself was not registered. The client's follow-up resources/read call then failed with -32002 'Resource not found' (the error surfaced as 'Error loading MCP App: MPC -32002: Resource not found' in VS Code). The stdio bootstrap also gated registration on featureChecker called with context.Background(), which can't see per-request flag overrides. Move RegisterUIResources into pkg/github.NewMCPServer (the shared constructor used by both stdio and HTTP), gated only on UIAssetsAvailable(). The resources are inert static HTML; the inventory still strips _meta.ui from tools per-request via stripMCPAppsMetadata, so the URI is only advertised to clients when the flag is on for that request. Fixes github#2467 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per the MCP Apps 2026-01-26 spec, servers SHOULD check client capabilities before advertising UI-enabled tools. Extend the inventory strip gate to remove _meta.ui not only when the feature flag is off, but also when the request context explicitly reports the client lacks UI support (HasUISupport returns supported=false, ok=true). When the capability is unknown (ok=false, e.g. stdio paths), fall through to the existing feature-flag gate so existing behaviour is preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Explicitly set prefersBorder on every UI resource — false for the get_me profile card, true for the issue/PR write forms — since hosts' defaults vary. * Declare an empty csp on issue_write_ui and pr_write_ui to document that they need no external origins. * Point spec link comment at the stable 2026-01-26 location. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Declare appCapabilities.availableDisplayModes (defaults to ["inline"]) during initialization, as required by the new spec. * Track McpUiHostContext (and its updates via onhostcontextchanged) and thread it into AppProvider, which now picks up host-supplied theme + CSS style variables and projects them onto the root element so Primer components inherit host theming. * Add setModelContext and openLink helpers to useMcpApp. issue-write and pr-write call setModelContext on a successful submission so the agent has the new entity in its next-turn context; get-me uses openLink for the profile's external blog link. The pinned @modelcontextprotocol/ext-apps ^1.7.2 was already resolved to 1.7.2 in the lockfile, so no dependency bump is required for the new HostContext / openLink / updateModelContext APIs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ts_write Adds two new methods to the consolidated projects_write tool: - create_project: creates a new GitHub ProjectsV2 for a user or org - create_iteration_field: adds an iteration field to an existing project Changes addressing review feedback: - Validate owner_type is exactly 'user' or 'org' in create_project - Use resolveProjectNodeID (GraphQL) instead of getProjectNodeID (REST) to avoid HTTP response body leaks - Add omitempty to Iterations JSON tag - Rename iterations item field startDate to start_date for consistency - Validate iteration elements instead of silently skipping invalid ones - Use explicit response structs with snake_case JSON tags - Add test for auto-detected owner_type in create_iteration_field - Use stubExporters() in test deps for nil-safety Co-authored-by: João Doria de Souza <jdoria@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds two new installation guides under docs/installation-guides/ covering MCP host applications that are not yet documented:
- install-zed.md: covers Zed's 'context_servers' settings key (command + args shape), the official GitHub MCP extension as an easier alternative, remote/local setup, the 'mcp:<server>:<tool>' permission key format introduced in Zed v0.224.0, and OAuth-vs-PAT trade-offs.
- install-opencode.md: covers OpenCode's 'mcp' config block (type-discriminated local/remote, command-as-array, 'environment' instead of 'env'), the 'oauth: false' opt-out needed when using a PAT, the '{env:VAR}' interpolation pattern, and the per-agent tool-gating pattern recommended for token-heavy servers like GitHub.
Also adds both hosts to:
- docs/installation-guides/README.md installation-guides index and the support-by-host-application table.
- README.md 'Install in other MCP hosts' and 'Install in Other MCP Hosts' lists.
Closes github#2531.
- Fix README.md: Remove non-existent 'Claude Web' from description - Add Windows PowerShell environment variable example for loading PAT from .env file The previous documentation only showed bash syntax for loading environment variables from .env files, which doesn't work on Windows PowerShell. This adds a PowerShell equivalent to help Windows users set up the GitHub MCP Server correctly.
- Linux/macOS: actually set GITHUB_PAT instead of inlining via subshell, matching the heading. - PowerShell: use Select-Object -First 1, split with max 2 parts, and trim quotes/whitespace so common .env formats work. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The default toolset row covers /mcp/ but /x/all is still a real, useful meta toolset that enables every toolset at once. Render both as special rows above the per-toolset list. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Removed unnecessary export statements for environment variables in README.
Expanded the README to include detailed descriptions of the GitHub MCP Server, its use cases, core technology, main components, key capabilities, code quality standards, and critical workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
Fixes #
What changed
MCP impact
Prompts tested (tool changes only)
Security / limits
Tool renaming
deprecated_tool_aliases.goNote: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.
Lint & tests
./script/lint./script/testDocs