Skip to content

Add GH_AW_GITHUB_TOKEN secret check for GitHub remote mode in mcp inspect#1807

Merged
pelikhan merged 5 commits intomainfrom
copilot/check-github-token-secret
Oct 16, 2025
Merged

Add GH_AW_GITHUB_TOKEN secret check for GitHub remote mode in mcp inspect#1807
pelikhan merged 5 commits intomainfrom
copilot/check-github-token-secret

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 16, 2025
edited
Loading

Problem

When using gh aw mcp inspect to inspect workflows that configure the GitHub MCP server in remote mode, the command did not check for the required GH_AW_GITHUB_TOKEN secret. This meant users would only discover the missing secret when attempting to connect to the remote GitHub MCP server, resulting in a generic 401 Unauthorized error without clear guidance.

Solution

Modified the validateServerSecrets function in pkg/cli/mcp_inspect_mcp.go to automatically detect when the GitHub tool is configured in remote mode and add GH_AW_GITHUB_TOKEN to the list of required secrets to check.

The implementation:

  • Detects GitHub remote mode by checking if config.Name == "github" and config.Type == "http"
  • Automatically adds GH_AW_GITHUB_TOKEN to required secrets when GitHub is in remote mode
  • Respects custom tokens - if a custom token is specified via github-token, it checks for that token instead
  • Does not affect GitHub local mode (Docker-based) which uses GITHUB_PERSONAL_ACCESS_TOKEN

Example Usage

# Without the secret, users now see a clear warning
$ gh aw mcp inspect my-workflow.md --check-secrets
⚠️  1 required secret(s) not found:
  ✗ GH_AW_GITHUB_TOKEN

# With the secret set, verbose mode confirms it's found
$ export GH_AW_GITHUB_TOKEN="ghp_..."
$ gh aw mcp inspect my-workflow.md --check-secrets -v
✓ GH_AW_GITHUB_TOKEN (from environment)

Testing

Added comprehensive test cases covering:

  • GitHub remote mode requiring GH_AW_GITHUB_TOKEN
  • GitHub remote mode with custom token
  • GitHub local mode (should not require GH_AW_GITHUB_TOKEN)

All existing tests pass, and the implementation follows existing patterns in the codebase.

Original prompt

Make sure "mcp inspect" checks for the GH_AW_GITHUB_TOKEN secret if tool github is in remote mode.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits October 16, 2025 15:07
@pelikhan
Add GH_AW_GITHUB_TOKEN secret check for GitHub remote mode in mcp ins…
41dbbb5 
…pect

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Run go fmt
2690009
@pelikhan
Add test case for GitHub local mode to verify no GH_AW_GITHUB_TOKEN r…
6be7086 
…equirement

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add check for GH_AW_GITHUB_TOKEN secret in remote mode Add GH_AW_GITHUB_TOKEN secret check for GitHub remote mode in mcp inspect Oct 16, 2025
Copilot AI requested a review from pelikhan October 16, 2025 15:14
@pelikhan pelikhan marked this pull request as ready for review October 16, 2025 17:20
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 16, 2025

Agentic Changeset Generator triggered by this pull request

@pelikhan pelikhan merged commit 383cfe8 into main Oct 16, 2025
3 checks passed
@pelikhan pelikhan deleted the copilot/check-github-token-secret branch October 16, 2025 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan