build(oauth): bake in default OAuth credentials for official releases (3/4)#2711
Draft
SamMorrowDrums wants to merge 2 commits into
Draft
build(oauth): bake in default OAuth credentials for official releases (3/4)#2711SamMorrowDrums wants to merge 2 commits into
SamMorrowDrums wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR (part 3/4 of the OAuth-over-stdio stack) wires build/release plumbing to allow official GitHub MCP Server binaries and container images to ship with a default OAuth client (injected at build time), while keeping local/dev builds credential-free.
Changes:
- Add
internal/buildinfoldflags-injected variables (OAuthClientID/OAuthClientSecret) to support baked-in OAuth credentials for official builds. - Update
cmd/github-mcp-serverstdio startup to fall back to baked-in OAuth credentials only for the default host (github.com) when not configured explicitly. - Update Docker + GoReleaser + GitHub Actions release workflows to inject OAuth credentials at build time (including BuildKit secrets for Docker).
Show a summary per file
| File | Description |
|---|---|
internal/buildinfo/buildinfo.go |
Introduces build-time variables for default OAuth credentials. |
cmd/github-mcp-server/main.go |
Applies baked-in OAuth credentials as a fallback for github.com when not explicitly configured. |
Dockerfile |
Injects OAuth credentials during Docker builds via BuildKit secrets and ldflags. |
.goreleaser.yaml |
Adds ldflags to embed OAuth credentials into official release binaries via env-provided values. |
.github/workflows/goreleaser.yml |
Exposes OAuth secrets to GoReleaser release jobs. |
.github/workflows/docker-publish.yml |
Passes OAuth secrets into Docker builds via build-push-action secrets. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 2
Comment on lines
+30
to
+34
| --mount=type=secret,id=oauth_client_id \ | ||
| --mount=type=secret,id=oauth_client_secret \ | ||
| export OAUTH_CLIENT_ID="$(cat /run/secrets/oauth_client_id 2>/dev/null || echo '')" && \ | ||
| export OAUTH_CLIENT_SECRET="$(cat /run/secrets/oauth_client_secret 2>/dev/null || echo '')" && \ | ||
| CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=${OAUTH_CLIENT_ID} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=${OAUTH_CLIENT_SECRET}" \ |
Comment on lines
+47
to
+50
| if oauthClientID == "" && viper.GetString("host") == "" { | ||
| oauthClientID = buildinfo.OAuthClientID | ||
| oauthClientSecret = buildinfo.OAuthClientSecret | ||
| } |
SamMorrowDrums
force-pushed
the
sammorrowdrums/oauth-stdio-wiring
branch
from
9ab8046 to
c3b677d
Compare
SamMorrowDrums
force-pushed
the
sammorrowdrums/oauth-build-release
branch
from
41ba5de to
3709f58
Compare
Inject the public OAuth client credentials (stored as the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET repo secrets) at build time via -ldflags so official binaries and images ship a working default app for zero-config login. Security relies on PKCE, not on the secret. Local/dev builds leave the values empty and continue to require an explicit token or --oauth-client-id. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Match the default host via oauth.NormalizeHost instead of only an empty host string, so an explicit GITHUB_HOST=github.com (or api.github.com) still counts as the default and keeps zero-config baked-in login working. GHES and ghe.com users continue to bring their own --oauth-client-id. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SamMorrowDrums
force-pushed
the
sammorrowdrums/oauth-stdio-wiring
branch
from
c3b677d to
2b4d5e6
Compare
SamMorrowDrums
force-pushed
the
sammorrowdrums/oauth-build-release
branch
from
3709f58 to
7157db4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 3 of 4 of the OAuth-over-stdio stack. Stacked on #2710 (PR 2/4). Replaces the build/release portion of #1836.
What this does
Lets official binaries and container images ship a working default OAuth app so users can
oauthlog in with zero config, while local/dev builds stay credential-free.internal/buildinfo: two ldflags-set vars,OAuthClientID/OAuthClientSecret. Empty in local/dev builds.cmd/github-mcp-server/main.go: when no--oauth-client-idis configured and no custom--gh-hostis set, fall back to the baked-in client. Inline (no helper), and guarded to github.com only — GHES/ghe.com (Proxima) users must bring their own app, since the baked-in app is registered on github.com and would otherwise point at the wrong auth server.Dockerfile: credentials injected via--mount=type=secret(kept out of image layers) and applied through the same ldflags..goreleaser.yaml+goreleaser.yml+docker-publish.yml: pass the existingOAUTH_CLIENT_ID/OAUTH_CLIENT_SECRETrepo secrets into the release/build jobs.Security
These are public credentials in the OAuth 2.1 sense — security comes from PKCE, not from the client secret (same model as the GitHub CLI). They are still injected at build time rather than committed, and kept out of Docker layer history via build secrets. The ephemeral user token remains in-memory only (PR 1/2).
Validation
go build ./...·script/lint(0 issues) ·script/test(race, full suite) all green. No new dependencies.Update — pre-merge review fix (commit 7157db4)
The github.com-only guard now matches the host via
oauth.NormalizeHost(...) == "https://github.com"instead of only an empty host string, so an explicitGITHUB_HOST=github.com(orapi.github.com) still counts as the default and keeps zero-config baked-in login working. GHES/ghe.com users still must bring their own--oauth-client-id.