github · lpcox · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
diff --git a/actions/setup/js/mount_mcp_as_cli.cjs b/actions/setup/js/mount_mcp_as_cli.cjs
@@ -66,9 +66,9 @@ function shellEscapeDoubleQuoted(str) {
 /**
  * Rewrite a raw gateway manifest URL to use the container-accessible domain.
  *
- * The manifest stores raw gateway-output URLs (e.g., http://0.0.0.0:80/mcp/server)
+ * The manifest stores raw gateway-output URLs (e.g., http://0.0.0.0:8080/mcp/server)
  * that work from the host. Inside the AWF sandbox the gateway is reachable via
- * MCP_GATEWAY_DOMAIN:MCP_GATEWAY_PORT (typically host.docker.internal:80).
+ * MCP_GATEWAY_DOMAIN:MCP_GATEWAY_PORT (typically host.docker.internal:8080).
  *
  * @param {string} rawUrl - URL from the manifest (host-accessible)
  * @returns {string} URL suitable for use inside AWF containers
@@ -338,7 +338,7 @@ async function main() {
       skippedServers.push(name);
       continue;
     }
-    // The manifest URL is the host-accessible raw gateway address (e.g., http://0.0.0.0:80/mcp/server).
+    // The manifest URL is the host-accessible raw gateway address (e.g., http://0.0.0.0:8080/mcp/server).
     // Rewrite it to the container-accessible URL for the generated CLI wrapper scripts,
     // which run inside the AWF sandbox where the gateway is reached via MCP_GATEWAY_DOMAIN.
     const containerUrl = toContainerUrl(url);

diff --git a/pkg/constants/README.md b/pkg/constants/README.md
@@ -395,7 +395,7 @@ constants.DefaultAllowedDomains   // []string{"localhost","localhost:*","127.0.0
 ## Network Port Constants
 
 ```go
-constants.DefaultMCPGatewayPort     // 80    — MCP gateway HTTP service
+constants.DefaultMCPGatewayPort     // 8080  — MCP gateway HTTP service
 constants.DefaultMCPServerPort      // 3000  — mcp-scripts MCP server
 constants.DefaultMCPInspectorPort   // 3001  — safe-outputs MCP inspector
 constants.MinNetworkPort            // 1

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -75,7 +75,7 @@ const ExpressionBreakThreshold LineLength = 100
 
 const (
 	// DefaultMCPGatewayPort is the default port for the MCP gateway HTTP service
-	DefaultMCPGatewayPort = 80
+	DefaultMCPGatewayPort = 8080
 
 	// DefaultMCPServerPort is the default port for MCP servers (mcp-scripts server)
 	DefaultMCPServerPort = 3000

diff --git a/pkg/constants/spec_test.go b/pkg/constants/spec_test.go
@@ -210,8 +210,8 @@ func TestSpec_NetworkPorts_Values(t *testing.T) {
 		actual   int
 		expected int
 	}{
-		// From spec: DefaultMCPGatewayPort // 80
-		{name: "DefaultMCPGatewayPort", actual: constants.DefaultMCPGatewayPort, expected: 80},
+		// From spec: DefaultMCPGatewayPort // 8080
+		{name: "DefaultMCPGatewayPort", actual: constants.DefaultMCPGatewayPort, expected: 8080},
 		// From spec: DefaultMCPServerPort // 3000
 		{name: "DefaultMCPServerPort", actual: constants.DefaultMCPServerPort, expected: 3000},
 		// From spec: DefaultMCPInspectorPort // 3001

diff --git a/pkg/workflow/mcp_gateway_config.go b/pkg/workflow/mcp_gateway_config.go
@@ -14,7 +14,7 @@
 //
 // The gateway configuration includes:
 //   - Container image and version (defaults to github/gh-aw-mcpg)
-//   - Network port (default: 80)
+//   - Network port (default: 8080)
 //   - Domain for gateway access (localhost or host.docker.internal)
 //   - API key for authentication
 //   - Volume mounts for workspace and temporary directories
@@ -38,7 +38,7 @@
 //	  mcp:
 //	    container: github/gh-aw-mcpg
 //	    version: v0.0.12
-//	    port: 80
+//	    port: 8080
 //	    domain: host.docker.internal
 //	    mounts:
 //	      - /opt:/opt:ro

diff --git a/pkg/workflow/mcp_gateway_constants.go b/pkg/workflow/mcp_gateway_constants.go
@@ -5,7 +5,7 @@
 // This file provides access to MCP gateway configuration constants.
 //
 // Gateway default values:
-//   - Port: 80 (HTTP standard port) - defined in pkg/constants
+//   - Port: 8080 (non-privileged HTTP port) - defined in pkg/constants
 //
 // The MCP gateway port is used when:
 //   - No custom port is specified in sandbox.mcp.port
@@ -22,7 +22,7 @@
 //   - constants/constants.go: Defines all MCP-related constants (versions, containers, ports)
 //
 // Related constants in pkg/constants:
-//   - DefaultMCPGatewayPort: Gateway port (80)
+//   - DefaultMCPGatewayPort: Gateway port (8080)
 //   - DefaultMCPGatewayVersion: Gateway container version
 //   - DefaultMCPGatewayContainer: Gateway container image
 //   - DefaultGitHubMCPServerVersion: GitHub MCP server version

diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go
@@ -54,7 +54,7 @@
 //   - Start safe-outputs HTTP server on port 3001
 //   - Write mcp-scripts config to ${RUNNER_TEMP}/gh-aw/mcp-scripts/
 //   - Start mcp-scripts HTTP server on port 3000
-//   - Start MCP Gateway on port 80
+//   - Start MCP Gateway (default port 8080)
 //   - Render MCP config based on engine (copilot/claude/codex/custom)
 package workflow
 
@@ -696,6 +696,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
 
 	var containerCmd strings.Builder
 	containerCmd.WriteString("docker run -i --rm --network host")
+	containerCmd.WriteString(" --add-host host.docker.internal:127.0.0.1")
 	// Use runner UID/GID so gateway-created /tmp logs remain readable by downstream
 	// redaction/upload steps; keep a supplementary docker.sock group for daemon access.
 	containerCmd.WriteString(" --user ${MCP_GATEWAY_UID}:${MCP_GATEWAY_GID}")

diff --git a/pkg/workflow/mcp_setup_generator_test.go b/pkg/workflow/mcp_setup_generator_test.go
@@ -510,14 +510,20 @@ tools:
 
 	userSnippet := `--user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"'`
 	groupAddSnippet := `--group-add '"${DOCKER_SOCK_GID}"'`
+	addHostSnippet := `--add-host host.docker.internal:127.0.0.1`
 	mountSnippet := `-v /var/run/docker.sock:/var/run/docker.sock`
+	defaultGatewayPortSnippet := `export MCP_GATEWAY_PORT="8080"`
 	uidComputeSnippet := `MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0')`
 	runnerGIDComputeSnippet := `MCP_GATEWAY_GID=$(id -g 2>/dev/null || echo '0')`
 	socketGIDComputeSnippet := `DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo '0')`
+	require.Contains(t, yamlStr, defaultGatewayPortSnippet,
+		"Default MCP gateway port should be exported as 8080")
 	require.Contains(t, yamlStr, uidComputeSnippet,
 		"Shell should compute MCP_GATEWAY_UID before docker command")
 	require.Contains(t, yamlStr, runnerGIDComputeSnippet,
 		"Shell should compute MCP_GATEWAY_GID before docker command")
+	require.Contains(t, yamlStr, addHostSnippet,
+		"Docker command should map host.docker.internal to host-gateway")
 	require.Contains(t, yamlStr, userSnippet,
 		"Docker command should include runner UID/GID user mapping")
 	require.Contains(t, yamlStr, socketGIDComputeSnippet,

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -333,7 +333,7 @@ jobs:
           mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"
 
           # Export gateway environment variables for MCP config and gateway script
-          export MCP_GATEWAY_PORT="80"
+          export MCP_GATEWAY_PORT="8080"
           export MCP_GATEWAY_DOMAIN="host.docker.internal"
           MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
           echo "::add-mask::${MCP_GATEWAY_API_KEY}"
@@ -347,7 +347,7 @@ jobs:
           MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0')
           MCP_GATEWAY_GID=$(id -g 2>/dev/null || echo '0')
           DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo '0')
-          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.24'
+          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.24'
 
           mkdir -p /home/runner/.copilot
           GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -334,7 +334,7 @@ jobs:
           mkdir -p "${RUNNER_TEMP}/gh-aw/mcp-config"
 
           # Export gateway environment variables for MCP config and gateway script
-          export MCP_GATEWAY_PORT="80"
+          export MCP_GATEWAY_PORT="8080"
           export MCP_GATEWAY_DOMAIN="host.docker.internal"
           MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=')
           echo "::add-mask::${MCP_GATEWAY_API_KEY}"
@@ -348,7 +348,7 @@ jobs:
           MCP_GATEWAY_UID=$(id -u 2>/dev/null || echo '0')
           MCP_GATEWAY_GID=$(id -g 2>/dev/null || echo '0')
           DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo '0')
-          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.24'
+          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.2.24'
 
           mkdir -p /home/runner/.copilot
           GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)