Problem
When a workflow uses an HTTP MCP server with auth: { type: github-oidc }, the MCP gateway (running inside the AWF agent container) needs ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN to be present in its environment to mint GitHub OIDC tokens. Because AWF's Docker environment injection in src/docker-manager.ts does not explicitly forward these two GitHub Actions OIDC variables, they are absent inside the container even though they are set on the Actions runner host.
The gateway then fails at startup with:
[ERROR] Server "my-server" requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set.
OIDC auth is only available when running in GitHub Actions with `permissions: { id-token: write }`
Context
Upstream issue: github/gh-aw#25224
The gh-aw compiler (mcp_setup_generator.go) is being fixed to include these vars in the docker run command it generates for the MCP gateway. However, the AWF firewall also controls which host environment variables reach the agent container, so both layers must be addressed.
Root Cause
In src/docker-manager.ts, the generateDockerCompose() function builds the explicit environment map for the agent container. The GitHub Actions OIDC variables (ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN) are not included in the base/framework env vars, nor are they picked up by --env-all unless that flag is explicitly passed.
Relevant code paths:
src/docker-manager.ts — generateDockerCompose() / buildAgentEnv(): controls which host env vars are injectedsrc/types.ts — WrapperConfig interface: defines known env var keyssrc/cli.ts — argument parsing: --env-all flag allows all host vars through, but that's opt-in and broad
When --env-all is not used, only an explicit allowlist of env vars is forwarded. Since ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are not on that list, OIDC-based MCP authentication fails silently.
Proposed Solution
Add ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN to the set of GitHub Actions environment variables that AWF automatically forwards into the agent container when they are present on the host.
Concretely, in src/docker-manager.ts within the section that builds the agent's env map (alongside other GITHUB_* vars that are already forwarded), add:
// GitHub Actions OIDC — required for MCP servers with auth.type: 'github-oidc'
if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
env['ACTIONS_ID_TOKEN_REQUEST_URL'] = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
}
if (process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) {
env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
}This is safe: the vars are only forwarded when present (i.e., when running inside GitHub Actions), and they are scoped to the current job's OIDC context. No changes to the domain allowlist or iptables rules are required — OIDC token requests go to token.actions.githubusercontent.com which should already be in the domain allowlist for workflows that use OIDC.
If domain-allowlist enforcement is also needed, document that callers must include token.actions.githubusercontent.com in --allow-domains when using OIDC-authenticated MCP servers.
Generated by Firewall Issue Dispatcher · ● 705.4K · ◷
Problem
When a workflow uses an HTTP MCP server with
auth: { type: github-oidc }, the MCP gateway (running inside the AWF agent container) needsACTIONS_ID_TOKEN_REQUEST_URLandACTIONS_ID_TOKEN_REQUEST_TOKENto be present in its environment to mint GitHub OIDC tokens. Because AWF's Docker environment injection insrc/docker-manager.tsdoes not explicitly forward these two GitHub Actions OIDC variables, they are absent inside the container even though they are set on the Actions runner host.The gateway then fails at startup with:
Context
Upstream issue: github/gh-aw#25224
The gh-aw compiler (
mcp_setup_generator.go) is being fixed to include these vars in thedocker runcommand it generates for the MCP gateway. However, the AWF firewall also controls which host environment variables reach the agent container, so both layers must be addressed.Root Cause
In
src/docker-manager.ts, thegenerateDockerCompose()function builds the explicit environment map for the agent container. The GitHub Actions OIDC variables (ACTIONS_ID_TOKEN_REQUEST_URL,ACTIONS_ID_TOKEN_REQUEST_TOKEN) are not included in the base/framework env vars, nor are they picked up by--env-allunless that flag is explicitly passed.Relevant code paths:
src/docker-manager.ts—generateDockerCompose()/buildAgentEnv(): controls which host env vars are injectedsrc/types.ts—WrapperConfiginterface: defines known env var keyssrc/cli.ts— argument parsing:--env-allflag allows all host vars through, but that's opt-in and broadWhen
--env-allis not used, only an explicit allowlist of env vars is forwarded. SinceACTIONS_ID_TOKEN_REQUEST_URLandACTIONS_ID_TOKEN_REQUEST_TOKENare not on that list, OIDC-based MCP authentication fails silently.Proposed Solution
Add
ACTIONS_ID_TOKEN_REQUEST_URLandACTIONS_ID_TOKEN_REQUEST_TOKENto the set of GitHub Actions environment variables that AWF automatically forwards into the agent container when they are present on the host.Concretely, in
src/docker-manager.tswithin the section that builds the agent's env map (alongside otherGITHUB_*vars that are already forwarded), add:This is safe: the vars are only forwarded when present (i.e., when running inside GitHub Actions), and they are scoped to the current job's OIDC context. No changes to the domain allowlist or iptables rules are required — OIDC token requests go to
token.actions.githubusercontent.comwhich should already be in the domain allowlist for workflows that use OIDC.If domain-allowlist enforcement is also needed, document that callers must include
token.actions.githubusercontent.comin--allow-domainswhen using OIDC-authenticated MCP servers.