From f4325eaf56cb03737c96a1754ded4d6bd16acb12 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 11:02:01 +0000 Subject: [PATCH 1/2] Initial plan From 3cb453ed8a43b08ca4be66929ecd3327740903dc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 11:35:29 +0000 Subject: [PATCH 2/2] Add unit tests for OIDC env var forwarding in MCP gateway docker command Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b9ff9365-3646-42ef-883c-68d22f96c546 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/mcp_environment_test.go | 68 ++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/pkg/workflow/mcp_environment_test.go b/pkg/workflow/mcp_environment_test.go index 73d4c92ed4b..51755ed096a 100644 --- a/pkg/workflow/mcp_environment_test.go +++ b/pkg/workflow/mcp_environment_test.go @@ -3,9 +3,11 @@ package workflow import ( + "strings" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestHasGitHubOIDCAuthInTools(t *testing.T) { @@ -107,3 +109,69 @@ func TestHasGitHubOIDCAuthInTools(t *testing.T) { }) } } + +// TestOIDCEnvVarsInDockerCommand verifies that ACTIONS_ID_TOKEN_REQUEST_URL and +// ACTIONS_ID_TOKEN_REQUEST_TOKEN are included as -e flags in the MCP Gateway docker +// command when an HTTP MCP server uses auth.type: "github-oidc". +func TestOIDCEnvVarsInDockerCommand(t *testing.T) { + workflowData := &WorkflowData{ + Tools: map[string]any{ + "github": map[string]any{ + "mode": "local", + }, + "oidc-server": map[string]any{ + "type": "http", + "url": "https://my-server.example.com/mcp", + "auth": map[string]any{ + "type": "github-oidc", + "audience": "https://my-server.example.com", + }, + }, + }, + } + + compiler := &Compiler{} + mockEngine := NewClaudeEngine() + + var yaml strings.Builder + require.NoError(t, compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData), + "generateMCPSetup should succeed") + output := yaml.String() + + assert.Contains(t, output, "-e ACTIONS_ID_TOKEN_REQUEST_URL", + "Docker command should include -e ACTIONS_ID_TOKEN_REQUEST_URL when github-oidc auth is configured") + assert.Contains(t, output, "-e ACTIONS_ID_TOKEN_REQUEST_TOKEN", + "Docker command should include -e ACTIONS_ID_TOKEN_REQUEST_TOKEN when github-oidc auth is configured") +} + +// TestOIDCEnvVarsNotInDockerCommandWithoutOIDCAuth verifies that OIDC env vars are +// NOT included in the docker command when no server uses auth.type: "github-oidc". +func TestOIDCEnvVarsNotInDockerCommandWithoutOIDCAuth(t *testing.T) { + workflowData := &WorkflowData{ + Tools: map[string]any{ + "github": map[string]any{ + "mode": "local", + }, + "tavily": map[string]any{ + "type": "http", + "url": "https://mcp.tavily.com/mcp/", + "headers": map[string]any{ + "Authorization": "Bearer ${{ secrets.TAVILY_API_KEY }}", + }, + }, + }, + } + + compiler := &Compiler{} + mockEngine := NewClaudeEngine() + + var yaml strings.Builder + require.NoError(t, compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData), + "generateMCPSetup should succeed") + output := yaml.String() + + assert.NotContains(t, output, "-e ACTIONS_ID_TOKEN_REQUEST_URL", + "Docker command should NOT include OIDC env vars without github-oidc auth") + assert.NotContains(t, output, "-e ACTIONS_ID_TOKEN_REQUEST_TOKEN", + "Docker command should NOT include OIDC env vars without github-oidc auth") +}