Skip to content

Fix Docker registry access blocking in mcp-inspector workflow #3640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 11, 2025
Merged

Fix Docker registry access blocking in mcp-inspector workflow #3640

merged 2 commits into from
Nov 11, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 11, 2025
edited
Loading

Task: Audit Workflows Blocking Docker Registry Access

This PR identifies and fixes workflows with firewall enabled that block docker.io and need container registry access.

Completed Checklist

  • Explore repository structure and understand the firewall system
  • Identify ecosystem identifier system and containers ecosystem
  • Find workflows with firewall enabled (13 total)
  • Identify container-based MCP servers (7 servers)
  • Analyze which workflows import container-based MCP servers
  • Document findings in a structured report
  • Prepare detailed comment for issue
  • Fix mcp-inspector.md workflow by adding containers ecosystem
  • Compile and validate the workflow

Changes Made

Updated .github/workflows/mcp-inspector.md to add the containers ecosystem identifier:

network:
  firewall: true
  allowed:
    - defaults
    - containers

This enables the workflow to access:

  • Docker Hub (docker.io, registry.hub.docker.com)
  • GitHub Container Registry (ghcr.io)
  • Microsoft Container Registry (mcr.microsoft.com)
  • Quay (quay.io)

Executive Summary

Fixed 1 workflow that was blocking docker.io:

  • mcp-inspector.md - Imports 6 container-based MCP servers but was missing containers in network config

12 workflows correctly configured - Have firewall enabled but don't use containers

Key Findings

Container-based MCP servers (7):

  • arxiv.md → mcp/arxiv-mcp-server
  • ast-grep.md → mcp/ast-grep
  • azure.md → mcr.microsoft.com/azure-sdk/azure-mcp (commented out)
  • brave.md → docker.io/mcp/brave-search
  • context7.md → mcp/context7
  • notion.md → mcp/notion
  • server-memory.md → mcp/memory

The mcp-inspector.md workflow:

Impact

This fix resolves the 7 docker.io blocking events reported in Discussion #3607. The mcp-inspector workflow will now successfully pull Docker images and initialize all its container-based MCP servers.

Resolves #3609
Related to #3607

Original prompt

This section details on the original issue you should resolve

<issue_title>[task] Audit workflows blocking Docker registry access</issue_title>
<issue_description>## Objective
Identify all workflows with firewall enabled that are blocking docker.io and need container registry access.

Context

The Daily Firewall Report (Discussion #3607) shows that docker.io is being blocked 7 times across firewall-enabled workflows. This domain is essential for pulling Docker images and should be allowlisted for workflows that need container operations.

Related to #3607

Approach

  1. Review all workflows with network.firewall: true in their frontmatter
  2. Check firewall logs to identify which workflows are blocking docker.io
  3. Determine which workflows legitimately need Docker registry access (e.g., workflows that use containerized tools, MCP servers running in Docker, or reference container operations)
  4. Create a list of workflow files that need the containers ecosystem identifier added

Files to Review

  • .github/workflows/mcp-inspector.md (identified in report as blocking docker.io)
  • .github/workflows/firewall.md
  • .github/workflows/dev.firewall.md
  • All other workflows with firewall: true

Acceptance Criteria

  • List of workflows that block docker.io identified
  • Each workflow assessed for legitimate Docker registry needs
  • Documentation of which workflows need containers ecosystem identifier
  • Results documented (comment on this issue or create a discussion)

Expected Output

A comment or discussion with:

## Workflows Needing Container Registry Access

1. `workflow-name.md` - Reason: [uses Docker/containerized MCP servers]
2. `another-workflow.md` - Reason: [description]

## Workflows That Don't Need Docker Access

1. `workflow-name.md` - Reason: [no container usage]

Related to #3607

AI generated by Plan Command for discussion #3607</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI requested a review from pelikhan November 11, 2025 17:36
@pelikhan
Copy link
Contributor

pelikhan commented Nov 11, 2025

@copilot continue

@pelikhan
Add containers ecosystem to mcp-inspector workflow
7a16080 
Fixes docker.io blocking by adding the containers ecosystem identifier
to the network configuration. This allows the workflow to pull Docker
images for its 6 container-based MCP servers (arxiv, ast-grep, brave,
context7, notion, server-memory).

Resolves #3609
Related to #3607

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 11, 2025

@copilot continue

Fixed in commit 7a16080. Updated mcp-inspector.md to add the containers ecosystem identifier, which resolves the docker.io blocking issue.

The workflow now allows access to Docker Hub, GitHub Container Registry, Microsoft Container Registry, and Quay, enabling all 6 container-based MCP servers (arxiv, ast-grep, brave, context7, notion, server-memory) to function properly.

Copilot AI changed the title [WIP] Identify workflows blocking Docker registry access Fix Docker registry access blocking in mcp-inspector workflow Nov 11, 2025
Copilot finished work on behalf of pelikhan November 11, 2025 18:12
@pelikhan pelikhan marked this pull request as ready for review November 11, 2025 18:28
Copilot AI review requested due to automatic review settings November 11, 2025 18:28
@pelikhan pelikhan merged commit 4595e47 into main Nov 11, 2025
74 checks passed
@pelikhan pelikhan deleted the copilot/audit-workflows-docker-access branch November 11, 2025 18:29
Copilot finished reviewing on behalf of pelikhan November 11, 2025 18:30
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes Docker registry access blocking in the mcp-inspector.md workflow by adding the containers ecosystem identifier to the network configuration. The workflow uses firewall protection and imports 6 container-based MCP servers (arxiv, ast-grep, brave, context7, notion, server-memory) that require pulling Docker images, but was missing the network permission to access Docker registries.

Key changes:

  • Added allowed: [defaults, containers] to the network configuration in mcp-inspector.md
  • The compiled lock.yml correctly expands the containers ecosystem to all necessary Docker registry domains

Impact:
Resolves the 7 docker.io blocking events reported in Discussion #3607 by allowing the workflow to pull Docker images from container registries including Docker Hub, GitHub Container Registry, Quay, and Microsoft Container Registry.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/mcp-inspector.md Added network.allowed configuration with defaults and containers ecosystems to enable Docker registry access
.github/workflows/mcp-inspector.lock.yml Compiled workflow with expanded domain list including all container registry domains (*.docker.io, registry.hub.docker.com, ghcr.io, quay.io, gcr.io, mcr.microsoft.com, etc.)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[task] Audit workflows blocking Docker registry access

2 participants

@pelikhan