Merge branch 'main' into token-scopes-context

Author: omgitsads

.github/workflows/docker-publish.yml

@@ -93,9 +93,14 @@ jobs:
           key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
 
       - name: Inject go-build-cache
-        uses: reproducible-containers/buildkit-cache-dance@4b2444fec0c0fb9dbf175a96c094720a692ef810 # v2.1.4
+        uses: reproducible-containers/buildkit-cache-dance@6f699a72a59e4252f05a7435430009b77e25fe06 # v3.3.1
         with:
-          cache-source: go-build-cache
+          cache-map: |
+            {
+              "go-build-cache/apk": "/var/cache/apk",
+              "go-build-cache/pkg": "/go/pkg/mod",
+              "go-build-cache/build": "/root/.cache/go-build"
+            }
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: stable
+          go-version: '1.25'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.6-alpine AS build
+FROM golang:1.25.7-alpine AS build
 ARG VERSION="dev"
 
 # Set the working directory
@@ -26,6 +26,8 @@ LABEL io.modelcontextprotocol.server.name="io.github.github/github-mcp-server"
 WORKDIR /server
 # Copy the binary from the build stage
 COPY --from=build /bin/github-mcp-server .
+# Expose the default port
+EXPOSE 8082
 # Set the entrypoint to the server binary
 ENTRYPOINT ["/server/github-mcp-server"]
 # Default arguments for ENTRYPOINT

docs/installation-guides/install-copilot-cli.md

@@ -1,10 +1,48 @@
 # Install GitHub MCP Server in Copilot CLI
 
-## Prerequisites
+The GitHub MCP server comes pre-installed in Copilot CLI, with read-only tools enabled by default.
 
-1. Copilot CLI installed (see [official Copilot CLI documentation](https://docs.github.com/en/copilot/concepts/agents/about-copilot-cli))
-2. [GitHub Personal Access Token](https://github.com/settings/personal-access-tokens/new) with appropriate scopes
-3. For local installation: [Docker](https://www.docker.com/) installed and running
+## Built-in Server
+
+To verify the server is available, from an active Copilot CLI session:
+
+```bash
+/mcp show github-mcp-server
+```
+
+### Per-Session Customization
+
+Use CLI flags to customize the server for a session:
+
+```bash
+# Enable an additional toolset
+copilot --add-github-mcp-toolset discussions
+
+# Enable multiple additional toolsets
+copilot --add-github-mcp-toolset discussions --add-github-mcp-toolset stargazers
+
+# Enable all toolsets
+copilot --enable-all-github-mcp-tools
+
+# Enable a specific tool
+copilot --add-github-mcp-tool list_discussions
+
+# Disable the built-in server entirely
+copilot --disable-builtin-mcps
+```
+
+Run `copilot --help` for all available flags. For the list of toolsets, see [Available toolsets](../../README.md#available-toolsets); for the list of tools, see [Tools](../../README.md#tools).
+
+## Custom Configuration
+
+You can configure the GitHub MCP server in Copilot CLI using either the interactive command or by manually editing the configuration file.
+
+> **Server naming:** Name your server `github-mcp-server` to replace the built-in server, or use a different name (e.g., `github`) to run alongside it.
+
+### Prerequisites
+
+1. [GitHub Personal Access Token](https://github.com/settings/personal-access-tokens/new) with appropriate scopes
+2. For local server: [Docker](https://www.docker.com/) installed and running
 
 <details>
 <summary><b>Storing Your PAT Securely</b></summary>
@@ -19,21 +57,17 @@ export GITHUB_PERSONAL_ACCESS_TOKEN=your_token_here
 
 </details>
 
-## GitHub MCP Server Configuration
-
-You can configure the GitHub MCP server in Copilot CLI using either the interactive command or by manually editing the configuration file.
-
 ### Method 1: Interactive Setup (Recommended)
 
-Use the Copilot CLI to interactively add the MCP server:
+From an active Copilot CLI session, run the interactive command:
 
 ```bash
 /mcp add
 ```
 
-Follow the prompts to configure the GitHub MCP server.
+Follow the prompts to configure the server.
 
-### Method 2: Manual Configuration
+### Method 2: Manual Setup
 
 Create or edit the configuration file `~/.copilot/mcp-config.json` and add one of the following configurations:
 
@@ -45,6 +79,7 @@ Connect to the hosted MCP server:
 {
   "mcpServers": {
     "github": {
+      "type": "http",
       "url": "https://api.githubcopilot.com/mcp/",
       "headers": {
         "Authorization": "Bearer ${GITHUB_PERSONAL_ACCESS_TOKEN}"
@@ -54,6 +89,8 @@ Connect to the hosted MCP server:
 }
 ```
 
+For additional options like toolsets and read-only mode, see the [remote server documentation](../remote-server.md#optional-headers).
+
 #### Local Docker
 
 With Docker running, you can run the GitHub MCP server in a container:
@@ -81,9 +118,13 @@ With Docker running, you can run the GitHub MCP server in a container:
 
 #### Binary
 
-You can download the latest binary release from the [GitHub releases page](https://github.com/github/github-mcp-server/releases) or build it from source by running `go build -o github-mcp-server ./cmd/github-mcp-server`.
+You can download the latest binary release from the [GitHub releases page](https://github.com/github/github-mcp-server/releases) or build it from source by running:
 
-Then, replacing `/path/to/binary` with the actual path to your binary, configure Copilot CLI with:
+```bash
+go build -o github-mcp-server ./cmd/github-mcp-server
+```
+
+Then configure (replace `/path/to/binary` with the actual path):
 
 ```json
 {
@@ -101,35 +142,30 @@ Then, replacing `/path/to/binary` with the actual path to your binary, configure
 
 ## Verification
 
-To verify that the GitHub MCP server has been configured:
-
-1. Start or restart Copilot CLI
-2. The GitHub tools should be available for use in your conversations
+1. Restart Copilot CLI
+2. Run `/mcp show` to list configured servers
+3. Try: "List my GitHub repositories"
 
 ## Troubleshooting
 
 ### Local Server Issues
 
 - **Docker errors**: Ensure Docker Desktop is running
-    ```bash
-    docker --version
-    ```
 - **Image pull failures**: Try `docker logout ghcr.io` then retry
-- **Docker not found**: Install Docker Desktop and ensure it's running
 
 ### Authentication Issues
 
 - **Invalid PAT**: Verify your GitHub PAT has correct scopes:
-    - `repo` - Repository operations
-    - `read:packages` - Docker image access (if using Docker)
+  - `repo` - Repository operations
+  - `read:packages` - Docker image access (if using Docker)
 - **Token expired**: Generate a new GitHub PAT
 
 ### Configuration Issues
 
 - **Invalid JSON**: Validate your configuration:
-    ```bash
-    cat ~/.copilot/mcp-config.json | jq .
-    ```
+  ```bash
+  cat ~/.copilot/mcp-config.json | jq .
+  ```
 
 ## References
 

docs/streamable-http.md

@@ -0,0 +1,93 @@
+# Streamable HTTP Server
+
+The Streamable HTTP mode enables the GitHub MCP Server to run as an HTTP service, allowing clients to connect via standard HTTP protocols. This mode is ideal for deployment scenarios where stdio transport isn't suitable, such as reverse proxy setups, containerized environments, or distributed architectures.
+
+## Features
+
+- **Streamable HTTP Transport** — Full HTTP server with streaming support for real-time tool responses
+- **OAuth Metadata Endpoints** — Standard `.well-known/oauth-protected-resource` discovery for OAuth clients
+- **Scope Challenge Support** — Automatic scope validation with proper HTTP 403 responses and `WWW-Authenticate` headers
+- **Scope Filtering** — Restrict available tools based on authenticated credentials and permissions
+- **Custom Base Paths** — Support for reverse proxy deployments with customizable base URLs
+
+## Running the Server
+
+### Basic HTTP Server
+
+Start the server on the default port (8082):
+
+```bash
+github-mcp-server http
+```
+
+The server will be available at `http://localhost:8082`.
+
+### With Scope Challenge
+
+Enable scope validation to enforce GitHub permission checks:
+
+```bash
+github-mcp-server http --scope-challenge
+```
+
+When `--scope-challenge` is enabled, requests with insufficient scopes receive a `403 Forbidden` response with a `WWW-Authenticate` header indicating the required scopes.
+
+### With OAuth Metadata Discovery
+
+For use behind reverse proxies or with custom domains, expose OAuth metadata endpoints:
+
+```bash
+github-mcp-server http --scope-challenge --base-url https://myserver.com --base-path /mcp
+```
+
+The OAuth protected resource metadata's `resource` attribute will be populated with the full URL to the server's protected resource endpoint:
+
+```json
+{
+  "resource_name": "GitHub MCP Server",
+  "resource": "https://myserver.com/mcp",
+  "authorization_servers": [
+    "https://github.com/login/oauth"
+  ],
+  "scopes_supported": [
+    "repo",
+    ...
+  ],
+  ...
+}
+```
+
+This allows OAuth clients to discover authentication requirements and endpoint information automatically.
+
+## Client Configuration
+
+### Using OAuth Authentication
+
+If your IDE or client has GitHub credentials configured (i.e. VS Code), simply reference the HTTP server:
+
+```json
+{
+  "type": "http",
+  "url": "http://localhost:8082"
+}
+```
+
+The server will use the client's existing GitHub authentication.
+
+### Using Bearer Tokens or Custom Headers
+
+To provide PAT credentials, or to customize server behavior preferences, you can include additional headers in the client configuration:
+
+```json
+{
+  "type": "http",
+  "url": "http://localhost:8082",
+  "headers": {
+    "Authorization": "Bearer ghp_yourtokenhere",
+    "X-MCP-Toolsets": "default",
+    "X-MCP-Readonly": "true"
+  }
+}
+```
+
+See [Remote Server](./remote-server.md) documentation for more details on client configuration options.

go.mod

@@ -5,7 +5,7 @@ go 1.24.0
 require (
 	github.com/google/go-github/v79 v79.0.0
 	github.com/google/jsonschema-go v0.4.2
-	github.com/josephburnett/jd v1.9.2
+	github.com/josephburnett/jd/v2 v2.4.0
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/muesli/cache2go v0.0.0-20221011235721-518229cd8021
 	github.com/spf13/cobra v1.10.2
@@ -17,20 +17,19 @@ require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-chi/chi/v5 v5.2.3
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/go-chi/chi/v5 v5.2.5
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/modelcontextprotocol/go-sdk v1.2.0
+	github.com/modelcontextprotocol/go-sdk v1.3.0
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466
@@ -41,14 +40,11 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2
-	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )