Skip to content

Add support for read-only flag on GitHub tool configuration#1135

Merged
pelikhan merged 4 commits intomainfrom
copilot/fix-2517d524-784f-46ae-89fe-383e405c754a
Oct 1, 2025
Merged

Add support for read-only flag on GitHub tool configuration#1135
pelikhan merged 4 commits intomainfrom
copilot/fix-2517d524-784f-46ae-89fe-383e405c754a

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 1, 2025
edited
Loading

Summary

Successfully implemented support for a read-only flag on the GitHub tool configuration in agentic workflows front matter.

Implementation Checklist

  • Understand the current implementation of GitHub tool configuration in pkg/parser/mcp.go
  • Add support for read-only field in GitHub tool configuration
  • Pass GITHUB_READ_ONLY environment variable to Docker command when read-only is true
  • Update all engines (Claude, Codex, Copilot, Custom) to support read-only mode
  • Update documentation to describe the new read-only flag
  • Add tests for the read-only configuration
  • Update JSON schema to allow read-only field
  • Ensure default behavior (no config) allows read-only with all tools
  • Test compilation and validation across all engines
  • Format code and run linters
  • Run comprehensive test suite
  • Create manual test scenarios
  • Verify generated YAML output
  • Inline env variable value in Docker args (per code review feedback)

Changes Made

Code Changes

  1. pkg/parser/mcp.go - Inline GITHUB_READ_ONLY=1 in docker args instead of separate env
  2. pkg/workflow/mcps.go - Added getGitHubReadOnly() helper function
  3. pkg/workflow/claude_engine.go - Inline env value in args
  4. pkg/workflow/codex_engine.go - Inline env value in args
  5. pkg/workflow/copilot_engine.go - Already inlined (no change needed)
  6. pkg/workflow/custom_engine.go - Inline env value in args

Schema Changes

  • pkg/parser/schemas/main_workflow_schema.json - Added read-only field and null type support

Documentation

  • docs/src/content/docs/reference/tools.md - Added GitHub Read-Only Mode section

Tests

  • pkg/parser/mcp_test.go - Updated tests for inlined env value
  • pkg/workflow/github_readonly_test.go - Added helper function tests

Usage

tools:
  github:
    read-only: true

Generated Output

When read-only: true is set:

  • Docker args include: -e GITHUB_READ_ONLY=1 (inlined value)
  • Environment section does NOT include GITHUB_READ_ONLY

Example:

args: [
  "run", "-i", "--rm",
  "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
  "-e", "GITHUB_READ_ONLY=1",
  "ghcr.io/github/github-mcp-server:sha-09deac4"
]
env:
  GITHUB_PERSONAL_ACCESS_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

Test Results

✅ All unit tests passing
✅ All integration tests passing
✅ Verified inlined env variable across all engines (Claude, Codex, Copilot, Custom)

Original prompt

Add support for a "read-only" flag on the github tool configuration in the front matter.

tools:
github:
read-only: true

Also when nothing is specified, it is equivalent to read-only, allow all tools.

tools:
github:

Readonly docs:

Read-Only Mode

To run the server in read-only mode, you can use the --read-only flag. This will only offer read-only tools, preventing any modifications to repositories, issues, pull requests, etc.

./github-mcp-server --read-only
When using Docker, you can pass the read-only mode as an environment variable:

docker run -i --rm
-e GITHUB_PERSONAL_ACCESS_TOKEN=
-e GITHUB_READ_ONLY=1
ghcr.io/github/github-mcp-server

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@pelikhan
Add support for read-only flag on GitHub tool configuration
796886b 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Add support for a "read-only" flag on the github tool configuration in the front matter. tools: github: read-only: true Also when nothing is specified, it is equivalent to read-only, allow all tools. tools: github: --- Readonly docs... Add support for read-only flag on GitHub tool configuration Oct 1, 2025
Copilot AI requested a review from pelikhan October 1, 2025 19:10
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Oct 1, 2025

@copilot inline the env variable value in the args

@pelikhan
Inline GITHUB_READ_ONLY env variable value in Docker args
6723b4b 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Oct 1, 2025

@copilot inline the env variable value in the args

Done in 6723b4b. The GITHUB_READ_ONLY environment variable value is now inlined in the Docker args as -e GITHUB_READ_ONLY=1 instead of being set separately in the env section.

Generated Docker command:

args: [
  "-e", "GITHUB_PERSONAL_ACCESS_TOKEN",
  "-e", "GITHUB_READ_ONLY=1",
  "ghcr.io/github/github-mcp-server:sha-09deac4"
]
env:
  GITHUB_PERSONAL_ACCESS_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

All engines (Claude, Codex, Copilot, Custom) now use this inlined format.

@pelikhan pelikhan marked this pull request as ready for review October 1, 2025 19:21
@pelikhan pelikhan merged commit c1002c8 into main Oct 1, 2025
12 checks passed
@pelikhan pelikhan deleted the copilot/fix-2517d524-784f-46ae-89fe-383e405c754a branch October 1, 2025 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan