Merge branch 'main' into chore/improve-mcp-server-json

Author: JoannaaKL

.github/workflows/code-scanning.yml

@@ -38,7 +38,7 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -52,13 +52,13 @@ jobs:
             threat-models: [  ]
       - name: Setup proxy for registries
         id: proxy
-        uses: github/codeql-action/start-proxy@v3
+        uses: github/codeql-action/start-proxy@v4
         with:
           registries_credentials: ${{ secrets.GITHUB_REGISTRIES_PROXY }}
           language: ${{ matrix.language }}
 
       - name: Configure
-        uses: github/codeql-action/resolve-environment@v3
+        uses: github/codeql-action/resolve-environment@v4
         id: resolve-environment
         with:
           language: ${{ matrix.language }}
@@ -70,10 +70,10 @@ jobs:
           cache: false
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         env:
           CODEQL_PROXY_HOST: ${{ steps.proxy.outputs.proxy_host }}
           CODEQL_PROXY_PORT: ${{ steps.proxy.outputs.proxy_port }}

.github/workflows/docker-publish.yml

@@ -46,7 +46,7 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 #v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0
         with:
           cosign-release: "v2.2.4"
 

.github/workflows/moderator.yml

@@ -0,0 +1,28 @@
+name: AI Moderator
+on:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  spam-detection:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      models: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/ai-moderator@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          spam-label: 'spam'
+          ai-label: 'ai-generated'
+          minimize-detected-comments: true
+          enable-spam-detection: true
+          enable-link-spam-detection: true
+          enable-ai-detection: true

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25.1-alpine AS build
+FROM golang:1.25.3-alpine AS build
 ARG VERSION="dev"
 
 # Set the working directory

README.md

@@ -45,8 +45,9 @@ var (
 				return fmt.Errorf("failed to unmarshal toolsets: %w", err)
 			}
 
+			// No passed toolsets configuration means we enable the default toolset
 			if len(enabledToolsets) == 0 {
-				enabledToolsets = github.GetDefaultToolsetIDs()
+				enabledToolsets = []string{github.ToolsetMetadataDefault.ID}
 			}
 
 			stdioServerConfig := ghmcp.StdioServerConfig{
@@ -99,6 +100,7 @@ func init() {
 func initConfig() {
 	// Initialize Viper configuration
 	viper.SetEnvPrefix("github")
+	viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
 	viper.AutomaticEnv()
 
 }

cmd/github-mcp-server/main.go

@@ -14,7 +14,7 @@ For security, avoid hardcoding your token. Create or update `~/.gemini/.env` (wh
 
 ```bash
 # ~/.gemini/.env
-GITHUB_PAT=your_token_here
+GITHUB_MCP_PAT=your_token_here
 ```
 
 </details>
@@ -30,26 +30,34 @@ After securely storing your PAT, you can add the GitHub MCP server configuration
 
 > **Note:** For the most up-to-date configuration options, see the [main README.md](../../README.md).
 
-### Method 1: Remote Server (Recommended)
+### Method 1: Gemini Extension (Recommended)
 
-The simplest way is to use GitHub's hosted MCP server:
+The simplest way is to use GitHub's hosted MCP server via our gemini extension.
+
+`gemini extensions install https://github.com/github/github-mcp-server`
+
+> [!NOTE]
+> You will still need to have a personal access token with the appropriate scopes called `GITHUB_MCP_PAT` in your environment.
+
+### Method 2: Remote Server
+
+You can also connect to the hosted MCP server directly. After securely storing your PAT, configure Gemini CLI with:
 
 ```json
 // ~/.gemini/settings.json
 {
     "mcpServers": {
         "github": {
             "httpUrl": "https://api.githubcopilot.com/mcp/",
-            "trust": true,
             "headers": {
-                "Authorization": "Bearer $GITHUB_PAT"
+                "Authorization": "Bearer $GITHUB_MCP_PAT"
             }
         }
     }
 }
 ```
 
-### Method 2: Local Docker
+### Method 3: Local Docker
 
 With docker running, you can run the GitHub MCP server in a container:
 
@@ -68,14 +76,14 @@ With docker running, you can run the GitHub MCP server in a container:
                 "ghcr.io/github/github-mcp-server"
             ],
             "env": {
-                "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_PAT"
+                "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_PAT"
             }
         }
     }
 }
 ```
 
-### Method 3: Binary
+### Method 4: Binary
 
 You can download the latest binary release from the [GitHub releases page](https://github.com/github/github-mcp-server/releases) or build it from source by running `go build -o github-mcp-server ./cmd/github-mcp-server`.
 
@@ -89,7 +97,7 @@ Then, replacing `/path/to/binary` with the actual path to your binary, configure
             "command": "/path/to/binary",
             "args": ["stdio"],
             "env": {
-                "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_PAT"
+                "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_PAT"
             }
         }
     }
@@ -122,6 +130,10 @@ To verify that the GitHub MCP server has been configured, start Gemini CLI in yo
     List my GitHub repositories
     ```
 
+## Additional Configuration
+
+You can find more MCP configuration options for Gemini CLI here: [MCP Configuration Structure](https://google-gemini.github.io/gemini-cli/docs/tools/mcp-server.html#configuration-structure). For example, bypassing tool confirmations or excluding specific tools.
+
 ## Troubleshooting
 
 ### Local Server Issues

docs/installation-guides/install-gemini-cli.md

@@ -46,7 +46,9 @@ These toolsets are only available in the remote GitHub MCP Server and are not in
 
 | Name                 | Description                                   | API URL                                     | 1-Click Install (VS Code)                                                                                                                                                                          | Read-only Link                                                    | 1-Click Read-only Install (VS Code)                                                                                                                                                                                     |
 | -------------------- | --------------------------------------------- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Copilot coding agent | Perform task with GitHub Copilot coding agent | https://api.githubcopilot.com/mcp/x/copilot | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot%22%7D) | [read-only](https://api.githubcopilot.com/mcp/x/copilot/readonly) | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot%2Freadonly%22%7D) |
+| Copilot  | Copilot related tools | https://api.githubcopilot.com/mcp/x/copilot | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot%22%7D)             | [read-only](https://api.githubcopilot.com/mcp/x/copilot/readonly)                                        | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot%2Freadonly%22%7D)                                                              |
+| Copilot Spaces  | Copilot Spaces tools | https://api.githubcopilot.com/mcp/x/copilot_spaces    | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot_spaces&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot_spaces%22%7D)             | [read-only](https://api.githubcopilot.com/mcp/x/copilot_spaces/readonly)                                        | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-copilot_spaces&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fcopilot_spaces%2Freadonly%22%7D)                                                              |
+| GitHub support docs search | Retrieve documentation to answer GitHub product and support questions. Topics include: GitHub Actions Workflows, Authentication, ... | https://api.githubcopilot.com/mcp/x/github_support_docs_search | [Install](https://insiders.vscode.dev/redirect/mcp/install?name=gh-support&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fgithub_support_docs_search%22%7D) | [read-only](https://api.githubcopilot.com/mcp/x/github_support_docs_search/readonly) | [Install read-only](https://insiders.vscode.dev/redirect/mcp/install?name=gh-support&config=%7B%22type%22%3A%20%22http%22%2C%22url%22%3A%20%22https%3A%2F%2Fapi.githubcopilot.com%2Fmcp%2Fx%2Fgithub_support_docs_search%2Freadonly%22%7D) |
 
 ### Optional Headers
 
@@ -74,13 +76,16 @@ Example:
 
 ### URL Path Parameters
 
-The Remote GitHub MCP server also supports the URL path parameters:
+The Remote GitHub MCP server supports the following URL path patterns:
 
-- `/x/{toolset}`
-- `/x/{toolset}/readonly`
-- `/readonly`
+- `/` - Default toolset (see ["default" toolset](../README.md#default-toolset))
+- `/readonly` - Default toolset in read-only mode
+- `/x/all` - All available toolsets
+- `/x/all/readonly` - All available toolsets in read-only mode
+- `/x/{toolset}` - Single specific toolset
+- `/x/{toolset}/readonly` - Single specific toolset in read-only mode
 
-Note: `{toolset}` can only been a single toolset, not a comma-separated list. To combine multiple toolsets, use the `X-MCP-Toolsets` header instead.
+Note: `{toolset}` can only be a single toolset, not a comma-separated list. To combine multiple toolsets, use the `X-MCP-Toolsets` header instead.
 
 Example:
 

docs/remote-server.md

@@ -0,0 +1,13 @@
+{
+	"name": "github",
+	"version": "1.0.0",
+	"mcpServers": {
+		"github": {
+			"description": "Connect AI assistants to GitHub - manage repos, issues, PRs, and workflows through natural language.",
+			"httpUrl": "https://api.githubcopilot.com/mcp/",
+			"headers": {
+				"Authorization": "Bearer $GITHUB_MCP_PAT"
+			}
+		}
+	}
+}

gemini-extension.json

@@ -12,6 +12,7 @@ import (
 	"os/signal"
 	"strings"
 	"syscall"
+	"time"
 
 	"github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/github"
@@ -106,14 +107,26 @@ func NewMCPServer(cfg MCPServerConfig) (*server.MCPServer, error) {
 	}
 
 	enabledToolsets := cfg.EnabledToolsets
+
+	// If dynamic toolsets are enabled, remove "all" from the enabled toolsets
 	if cfg.DynamicToolsets {
-		// filter "all" from the enabled toolsets
-		enabledToolsets = make([]string, 0, len(cfg.EnabledToolsets))
-		for _, toolset := range cfg.EnabledToolsets {
-			if toolset != "all" {
-				enabledToolsets = append(enabledToolsets, toolset)
-			}
-		}
+		enabledToolsets = github.RemoveToolset(enabledToolsets, github.ToolsetMetadataAll.ID)
+	}
+
+	// Clean up the passed toolsets
+	enabledToolsets, invalidToolsets := github.CleanToolsets(enabledToolsets)
+
+	// If "all" is present, override all other toolsets
+	if github.ContainsToolset(enabledToolsets, github.ToolsetMetadataAll.ID) {
+		enabledToolsets = []string{github.ToolsetMetadataAll.ID}
+	}
+	// If "default" is present, expand to real toolset IDs
+	if github.ContainsToolset(enabledToolsets, github.ToolsetMetadataDefault.ID) {
+		enabledToolsets = github.AddDefaultToolset(enabledToolsets)
+	}
+
+	if len(invalidToolsets) > 0 {
+		fmt.Fprintf(os.Stderr, "Invalid toolsets ignored: %s\n", strings.Join(invalidToolsets, ", "))
 	}
 
 	// Generate instructions based on enabled toolsets
@@ -363,11 +376,30 @@ func newGHESHost(hostname string) (apiHost, error) {
 		return apiHost{}, fmt.Errorf("failed to parse GHES GraphQL URL: %w", err)
 	}
 
-	uploadURL, err := url.Parse(fmt.Sprintf("%s://%s/api/uploads/", u.Scheme, u.Hostname()))
+	// Check if subdomain isolation is enabled
+	// See https://docs.github.com/en/enterprise-server@3.17/admin/configuring-settings/hardening-security-for-your-enterprise/enabling-subdomain-isolation#about-subdomain-isolation
+	hasSubdomainIsolation := checkSubdomainIsolation(u.Scheme, u.Hostname())
+
+	var uploadURL *url.URL
+	if hasSubdomainIsolation {
+		// With subdomain isolation: https://uploads.hostname/
+		uploadURL, err = url.Parse(fmt.Sprintf("%s://uploads.%s/", u.Scheme, u.Hostname()))
+	} else {
+		// Without subdomain isolation: https://hostname/api/uploads/
+		uploadURL, err = url.Parse(fmt.Sprintf("%s://%s/api/uploads/", u.Scheme, u.Hostname()))
+	}
 	if err != nil {
 		return apiHost{}, fmt.Errorf("failed to parse GHES Upload URL: %w", err)
 	}
-	rawURL, err := url.Parse(fmt.Sprintf("%s://%s/raw/", u.Scheme, u.Hostname()))
+
+	var rawURL *url.URL
+	if hasSubdomainIsolation {
+		// With subdomain isolation: https://raw.hostname/
+		rawURL, err = url.Parse(fmt.Sprintf("%s://raw.%s/", u.Scheme, u.Hostname()))
+	} else {
+		// Without subdomain isolation: https://hostname/raw/
+		rawURL, err = url.Parse(fmt.Sprintf("%s://%s/raw/", u.Scheme, u.Hostname()))
+	}
 	if err != nil {
 		return apiHost{}, fmt.Errorf("failed to parse GHES Raw URL: %w", err)
 	}
@@ -380,6 +412,29 @@ func newGHESHost(hostname string) (apiHost, error) {
 	}, nil
 }
 
+// checkSubdomainIsolation detects if GitHub Enterprise Server has subdomain isolation enabled
+// by attempting to ping the raw.<host>/_ping endpoint on the subdomain. The raw subdomain must always exist for subdomain isolation.
+func checkSubdomainIsolation(scheme, hostname string) bool {
+	subdomainURL := fmt.Sprintf("%s://raw.%s/_ping", scheme, hostname)
+
+	client := &http.Client{
+		Timeout: 5 * time.Second,
+		// Don't follow redirects - we just want to check if the endpoint exists
+		//nolint:revive // parameters are required by http.Client.CheckRedirect signature
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	resp, err := client.Get(subdomainURL)
+	if err != nil {
+		return false
+	}
+	defer resp.Body.Close()
+
+	return resp.StatusCode == http.StatusOK
+}
+
 // Note that this does not handle ports yet, so development environments are out.
 func parseAPIHost(s string) (apiHost, error) {
 	if s == "" {