Bump dependencies and enhance GitHub Actions toolset functionality#1
Open
WyattCrypto88 wants to merge 601 commits into
Open
Bump dependencies and enhance GitHub Actions toolset functionality#1WyattCrypto88 wants to merge 601 commits into
WyattCrypto88 wants to merge 601 commits into
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Fallback to default branch in get_file_contents when main doesn't exist * Addressing review comments * Improvements to push_files tool * Fixed copilot comments * Addressing review comments * Remove debug statement
- Created pkg/scopes package with OAuth scope constants - Added RequiredScopes and AcceptedScopes fields to ServerTool - Added NewToolWithScopes helpers in dependencies.go - Updated context tools (get_me, get_teams, get_team_members) with scopes Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>
- Updated 60+ tools with required and accepted OAuth scopes - Added scopes to: gists, git, notifications, projects, code scanning, dependabot, secret scanning, security advisories, actions, discussions, issues (partial), labels, pull requests (partial), repositories (partial), search (partial) - Remaining: ~20 tools in issues, pullrequests, repositories, and search files Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>
- Updated all remaining tools with OAuth scope information - Added scope documentation generation to generate-docs command - Documentation now shows Required and Accepted OAuth scopes for each tool - All 100+ tools now have scope information defined - Tests pass, linter passes, documentation generated successfully Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>
- Replace NewToolWithScopes with updated NewTool that includes scope parameters - All tools now use the same constructor with explicit scope requirements - Documentation only shows accepted scopes when they differ from required - Removed NewToolWithScopes and NewToolFromHandlerWithScopes helper functions Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>
- Add ScopeHierarchy map defining parent-child scope relationships - Add ExpandScopes() function to derive accepted scopes from required scopes - Update NewTool/NewToolFromHandler to take []scopes.Scope and auto-derive AcceptedScopes - Add new scope constants: NoScope, User, ReadUser, UserEmail, ReadPackages, WritePackages - Update all tool files to use new signature with typed scopes - Add comprehensive tests for ExpandScopes The scope hierarchy allows automatic derivation of accepted scopes: - repo → public_repo, security_events - admin:org → write:org → read:org - project → read:project - write:packages → read:packages - user → read:user, user:email This enables the remote server to consume scope info directly from OSS tools.
public_repo is implicit - the GitHub API handles the distinction between public and private repos. Using repo as the required scope is more consistent with our enforcement model: - PATs: tools visible if token has repo scope - OAuth: scope challenge requests repo scope
Map iteration in Go is non-deterministic, which causes doc generation to produce different output on each run. Sort the scope slices in: - ScopeSet.ToSlice() - ScopeSet.ToStringSlice() - ExpandScopes()
Add the ability to filter tools based on token scopes for PAT users. This uses an HTTP HEAD request to GitHub's API to discover token scopes. New components: - pkg/scopes/filter.go: HasRequiredScopes checks if scopes satisfy tool requirements - pkg/scopes/fetcher.go: FetchTokenScopes gets scopes via HTTP HEAD to GitHub API - pkg/github/scope_filter.go: CreateScopeFilter creates inventory.ToolFilter Integration: - Add --filter-by-scope flag to stdio command (disabled by default) - When enabled, fetches token scopes on startup - Tools requiring unavailable scopes are hidden from tool list - Gracefully continues without filtering if scope fetch fails (logs warning) This allows the OSS server to have similar scope-based tool visibility as the remote server, and the filter logic can be reused by remote server.
Scope filtering is now a built-in feature rather than a configurable option. The server automatically fetches token scopes at startup and filters tools accordingly. If scope detection fails, it logs a warning and continues with all tools available.
- Scope filtering only applies to classic PATs which return X-OAuth-Scopes - Fine-grained PATs and other token types skip filtering (all tools shown) - Updated docs to clarify PAT filtering vs OAuth scope challenges
The README already has auto-generated tool documentation with scopes. Keep only the scope hierarchy explanation which is structural.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…cts tests (github#1737) * Initial plan * migrate tests from go-github-mock to internal testify-based mock Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * address feedback in testmock helper Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * tweak testmock path matching edge case Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * refine testmock options and path matching Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * simplify matchPath and document delete endpoint Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * Replace go-github-mock usage in tests with shared HTTP mock helper Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * Replace go-github-mock usage in tests with shared HTTP mock helper Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * fix tests and lint after mock cleanup Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> * Remove import completely * Partial removal in repositories_test.go * Final removal --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JoannaaKL <67866556+JoannaaKL@users.noreply.github.com> Co-authored-by: JoannaaKL <joannaakl@github.com>
…() and add tests for feature flag validation
Upgrade the MCP Go SDK from v1.3.1-0.20260220105450-b17143f71798 (pseudo-version) to v1.5.0 (latest stable). This also resolves github#2333, as the SDK now correctly handles Content-Type headers with MIME parameters (e.g. charset=utf-8) via mime.ParseMediaType in StreamableHTTPHandler (added in v1.4.1). Transitive dependency updates: - go directive: 1.24.0 → 1.25.0 (required by SDK) - golang.org/x/oauth2: v0.34.0 → v0.35.0 - golang.org/x/sys: v0.40.0 → v0.41.0 - segmentio/encoding: v0.5.3 → v0.5.4 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Auto-generated by license-check workflow
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
The README references docs/deprecated-tool-aliases.md which does not exist. The correct file is docs/tool-renaming.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/josephburnett/jd/v2](https://github.com/josephburnett/jd) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/josephburnett/jd/releases) - [Changelog](https://github.com/josephburnett/jd/blob/master/RELEASE_NOTES.md) - [Commits](josephburnett/jd@v2.4.0...v2.5.0) --- updated-dependencies: - dependency-name: github.com/josephburnett/jd/v2 dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Auto-generated by license-check workflow
Bumps golang from 1.25.8-alpine to 1.25.9-alpine. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.9-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Rebase PR github#2282 onto main (post-github#2332) and unify feature flag allowlists into a single source of truth. - Add MCPAppsFeatureFlag, AllowedFeatureFlags, InsidersFeatureFlags, and ResolveFeatureFlags in feature_flags.go - AllowedFeatureFlags includes all user-controllable flags (MCP Apps + granular), InsidersFeatureFlags only includes MCPAppsFeatureFlag - HeaderAllowedFeatureFlags() now delegates to AllowedFeatureFlags - Builder uses feature checker instead of insidersMode bool - Remove InsidersOnly field from ServerTool and WithInsidersMode from Builder - HTTP feature checker uses ResolveFeatureFlags for per-request resolution with insiders expansion - Tool handlers check MCPAppsFeatureFlag via IsFeatureEnabled instead of InsidersMode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
) * Initial plan * Enforce exactly one value key per field in set_issue_fields and add tests Address review feedback: - Change validation to count value keys and reject when multiple are provided (e.g., text_value + number_value, or text_value + delete). - Add unit tests for multiple value keys and value + delete scenarios. - Run generate-docs (no doc changes needed; README was already current). Agent-Logs-Url: https://github.com/github/github-mcp-server/sessions/7e89edb3-5315-42dd-bfa1-6c962f1ba137 Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com>
Add NormalizeContentType middleware that strips optional parameters (e.g. charset=utf-8) from application/json Content-Type headers before the request reaches the Go SDK's StreamableHTTP handler, which performs strict string matching. Per RFC 8259, the charset parameter is redundant for JSON but must be accepted per HTTP semantics. Fixes github#2333 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Upgrades github.com/modelcontextprotocol/go-sdk from v1.5.0 to v1.5.1-0.20260403154220-27f29c1cef3b which includes proper media type parsing for Content-Type headers, fixing the strict string matching that rejected application/json; charset=utf-8. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The go-sdk bump (27f29c1) includes the proper fix upstream, making the middleware unnecessary. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Auto-generated by license-check workflow
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/github-mcp-server/sessions/49811f97-33b0-476c-8811-419dee2a5318 Co-authored-by: omgitsads <4619+omgitsads@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/github-mcp-server/sessions/49811f97-33b0-476c-8811-419dee2a5318 Co-authored-by: omgitsads <4619+omgitsads@users.noreply.github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.0.0 to 7.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 8 to 9. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v8...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps golang from `04d017a` to `5caaf1c`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.9-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…FieldValue union (github#2366) * Fix set_issue_fields mutation: use correct inline fragments for IssueFieldValue union The mutation response struct used a single inline fragment '... on IssueFieldDateValue' with a 'Name' field that doesn't exist on that type (only IssueFieldSingleSelectValue has 'name'). This caused GraphQL validation to fail with: Field 'name' doesn't exist on type 'IssueFieldDateValue' Since GraphQL validates the entire document (including response selection sets) before executing any operation, the mutation never fired at all — no fields were ever set regardless of input. Fix by adding correct inline fragments for all four union types: - IssueFieldTextValue (value) - IssueFieldSingleSelectValue (name) - IssueFieldDateValue (value) - IssueFieldNumberValue (value) * Update test mock to match corrected inline fragments * Update handler_test.go formatting
* use REST API for permission checks * update tests * skip API call for bots and add github-action[bot] to trusted logins * improve tests * add nil guard to IsSafeContent * add comment clarifying maintain mapping --------- Co-authored-by: Sam Morrow <info@sam-morrow.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
Fixes #
What changed
MCP impact
Prompts tested (tool changes only)
Security / limits
Tool renaming
deprecated_tool_aliases.goNote: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.
Lint & tests
./script/lint./script/testDocs