Skip to content

Add MCP-focused integration coverage and CI example for GitHub MCP server#192

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/add-integration-tests-awf
Closed

Add MCP-focused integration coverage and CI example for GitHub MCP server#192
Copilot wants to merge 5 commits intomainfrom
copilot/add-integration-tests-awf

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

The firewall needed integration proof that MCP-style workloads (e.g., GitHub MCP server) keep GitHub traffic allowed while blocking other egress, using the GitHub Actions token for auth.

  • Integration tests
    • Added tests/integration/mcp-github.test.ts to verify allowed GitHub API access with token and blocked non-GitHub domains, including Squid log assertions.
    • Added a check that the actual ghcr.io/github/github-mcp-server:v0.19.0 container can start inside AWF under the allowlist.
  • Examples
    • Added examples/github-mcp-smoke.sh to run a Dockerized GitHub API call through AWF, start the real GitHub MCP server container, and demonstrate blocking of unrelated domains; documented in examples/README.md.
  • CI
    • Extended test-examples workflow to pre-pull the MCP server image and execute the new smoke example with ${{ github.token }}.
    • Added test-mcp-github job to test-integration workflow running the new suite with the Actions token and shared test filename variable, pre-pulling both curl and MCP images.

Example (from new test):

const result = await runner.runWithSudo(
  'docker run --rm -e GITHUB_TOKEN curlimages/curl:latest sh -c \'curl -fsS -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/rate_limit\'',
  { allowDomains: ['api.github.com','github.com','objects.githubusercontent.com','ghcr.io'] }
);
expect(result).toSucceed();
Original prompt

Add a few integration tests, examples, and CIs to test using AWF to restrict outbound network for MCP servers like the GitHub MCP server. The GitHub MCP server could be tested using GitHub Action generated token.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits January 8, 2026 21:21
@Mossaka
chore: add mcp egress coverage
72ba0d3 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
chore: refine mcp test env handling
b1ee58d 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
chore: reuse test file variable
0ffdf20 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Add integration tests and CI for AWF on MCP servers Add MCP-focused integration coverage and CI example for GitHub MCP server Jan 8, 2026
Copilot AI requested a review from Mossaka January 8, 2026 21:27
Mossaka
Mossaka reviewed Jan 8, 2026
View reviewed changes
Copy link
Collaborator

@Mossaka Mossaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot address the comment

examples/github-mcp-smoke.sh
Comment on lines 23 to 36
echo "=== Calling GitHub API through AWF (allowed) ==="
sudo -E awf \
--allow-domains "${ALLOW_DOMAINS}" \
--log-level warn \
-- 'docker run --rm -e GITHUB_TOKEN curlimages/curl:latest sh -c '"'"'curl -fsS -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/rate_limit'"'"''

echo "=== Attempting blocked domain through AWF (should fail) ==="
if sudo -E awf \
--allow-domains "${ALLOW_DOMAINS}" \
--log-level warn \
-- 'docker run --rm curlimages/curl:latest -fsS https://example.com --max-time 8'; then
echo "Unexpected success: example.com should be blocked" >&2
exit 1
fi
Copy link
Collaborator

@Mossaka Mossaka Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait you are not actually running the GitHub MCP Server. Please run the server inside the firewall and test it: https://github.com/github/github-mcp-server

Copy link
Contributor Author

Copilot AI Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented a new AWF-covered path that actually starts the GitHub MCP server container (ghcr.io/github/github-mcp-server:v0.19.0) in both the integration test and the example smoke script; CI now pre-pulls the image and runs this server-start check. Commit: a475580

@Mossaka
feat: run github mcp server in tests
a475580 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI requested a review from Mossaka January 8, 2026 22:32
@Mossaka Mossaka marked this pull request as ready for review January 9, 2026 19:24
@github-actions
Copy link

github-actions bot commented Jan 9, 2026

Test Coverage Report

Metric Coverage Covered/Total
Lines 77.12% 1281/1661
Statements 77.17% 1312/1700
Functions 77.04% 141/183
Branches 69.29% 431/622
Coverage Thresholds

The project has the following coverage thresholds configured:

  • Lines: 38%
  • Statements: 38%
  • Functions: 35%
  • Branches: 30%

Coverage report generated by `npm run test:coverage`

@Mossaka Mossaka closed this Jan 14, 2026
@github-actions github-actions bot mentioned this pull request Jan 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka