diff --git a/.github/aw/create-agentic-workflow.md b/.github/aw/create-agentic-workflow.md index 0b5e09fd9af..a2144cbebcc 100644 --- a/.github/aw/create-agentic-workflow.md +++ b/.github/aw/create-agentic-workflow.md @@ -267,7 +267,6 @@ These resources contain workflow patterns, best practices, safe outputs, and per ```yaml tools: github: - mode: remote toolsets: [default] ``` - ❌ **WRONG** — Direct API access (will silently fail): @@ -482,7 +481,7 @@ These resources contain workflow patterns, best practices, safe outputs, and per - **Always use `toolsets:` for GitHub tools** - Use `toolsets: [default]` instead of manually listing individual tools. - **Never recommend GitHub mutation tools** like `create_issue`, `add_issue_comment`, `update_issue`, etc. - **Always use `safe-outputs` instead** for any GitHub write operations (creating issues, adding comments, etc.) - - **Mode configuration** - Both `mode: local` (Docker-based, default) and `mode: remote` (hosted) are supported. Remote mode offers faster startup and no Docker requirement. + - **Mode configuration** - Only `mode: local` (Docker-based, default) is supported when running in GitHub Actions. **Do NOT use `mode: remote`** — it does not work with the GitHub Actions token (`GITHUB_TOKEN`) and requires a special PAT or GitHub App token with MCP access. **Guard Policies (`repos` and `min-integrity`)**: diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md index f833cef11ff..820ae378394 100644 --- a/.github/aw/github-agentic-workflows.md +++ b/.github/aw/github-agentic-workflows.md @@ -383,7 +383,7 @@ The YAML frontmatter supports these fields: - **`tools:`** - Tool configuration for coding agent - `github:` - GitHub API tools - `allowed:` - Array of allowed GitHub API functions - - `mode:` - "local" (Docker, default) or "remote" (hosted) + - `mode:` - "local" (Docker, default) — **do NOT use "remote"** as it does not work with the GitHub Actions token - `version:` - MCP server version (local mode only) - `args:` - Additional command-line arguments (local mode only) - `read-only:` - The GitHub MCP server always operates in read-only mode; this field is accepted but has no effect diff --git a/.github/aw/github-mcp-server.md b/.github/aw/github-mcp-server.md index 8bef2c837f0..f488ace59d1 100644 --- a/.github/aw/github-mcp-server.md +++ b/.github/aw/github-mcp-server.md @@ -32,13 +32,14 @@ X-MCP-Readonly: true ```yaml tools: github: - mode: "remote" # or "local" toolsets: [default] # or specific toolsets # Optional: GitHub App authentication app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} ``` +> ⚠️ **Do NOT use `mode: remote`** in GitHub Actions workflows. Remote mode does not work with the GitHub Actions token (`GITHUB_TOKEN`) — it requires a special PAT or GitHub App token with MCP access. The default `mode: local` (Docker-based) works with `GITHUB_TOKEN` and should always be used. + ### Toolset Options - `[default]` — Recommended defaults: `context`, `repos`, `issues`, `pull_requests` diff --git a/.github/aw/runbooks/workflow-health.md b/.github/aw/runbooks/workflow-health.md index 3ebe72915dd..269b1781149 100644 --- a/.github/aw/runbooks/workflow-health.md +++ b/.github/aw/runbooks/workflow-health.md @@ -94,7 +94,6 @@ Check if the workflow has proper MCP server configuration: --- tools: github: - mode: remote # or "local" for Docker-based toolsets: [default] # Enables repos, issues, pull_requests --- ``` @@ -145,7 +144,6 @@ Common permission requirements: --- tools: github: - mode: remote toolsets: [default] --- ``` @@ -183,7 +181,6 @@ permissions: engine: copilot tools: github: - mode: remote toolsets: [default] --- @@ -244,7 +241,6 @@ permissions: engine: copilot tools: github: - mode: remote toolsets: [default] mcp-scripts: issue: @@ -335,7 +331,6 @@ Added GitHub MCP server configuration: ```aw tools: github: - mode: remote toolsets: [default] ``` @@ -391,7 +386,6 @@ permissions: issues: read tools: github: - mode: remote toolsets: [default] --- ``` @@ -411,7 +405,6 @@ mcp-scripts: body: ${{ github.event.issue.body }} tools: github: - mode: remote toolsets: [default] --- ``` @@ -430,7 +423,6 @@ safe-outputs: category: "general" tools: github: - mode: remote toolsets: [default] --- ``` diff --git a/.github/aw/upgrade-agentic-workflows.md b/.github/aw/upgrade-agentic-workflows.md index f10e14cb185..d13dcc18a6d 100644 --- a/.github/aw/upgrade-agentic-workflows.md +++ b/.github/aw/upgrade-agentic-workflows.md @@ -150,10 +150,9 @@ If compilation fails, work through errors systematically: github: mode: remote - # New format + # New format (do NOT include mode: remote - it does not work with GitHub Actions token) tools: github: - mode: remote toolsets: [default] ``` diff --git a/AGENTS.md b/AGENTS.md index 709a87a3109..edfc2d42f4f 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -149,7 +149,6 @@ The Copilot coding agent **cannot directly access api.github.com**. When using t engine: copilot tools: github: - mode: remote # or "local" for Docker-based toolsets: [default] # Enables repos, issues, pull_requests, etc. ``` @@ -164,7 +163,7 @@ network: **Key points:** - The GitHub MCP server provides all necessary GitHub API functionality - Use `toolsets: [default]` for common operations, or specify toolsets like `[repos, issues, pull_requests]` -- Both `mode: remote` (hosted) and `mode: local` (Docker) work with Copilot +- **Never use `mode: remote`** — it does not work with the GitHub Actions token (`GITHUB_TOKEN`) and requires a special PAT or GitHub App token - Never rely on direct `api.github.com` access in Copilot workflows See [GitHub MCP Server Documentation](skills/github-mcp-server/SKILL.md) for complete configuration details.