feat: add build-time OAuth credentials for seamless authentication

- Add internal/buildinfo package for build-injected OAuth credentials
- Update goreleaser and Dockerfile to inject credentials via ldflags
- Update main.go to use baked-in credentials as fallback (PAT > explicit OAuth > baked-in)
- Update GitHub Actions workflows to pass secrets to builds
- Update documentation with new authentication flow

Author: SamMorrowDrums

.github/workflows/docker-publish.yml

@@ -112,6 +112,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           build-args: |
             VERSION=${{ github.ref_name }}
+            OAUTH_CLIENT_ID=${{ secrets.OAUTH_CLIENT_ID }}
+            OAUTH_CLIENT_SECRET=${{ secrets.OAUTH_CLIENT_SECRET }}
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker

.github/workflows/goreleaser.yml

@@ -35,6 +35,8 @@ jobs:
           workdir: .
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.OAUTH_CLIENT_SECRET }}
 
       - name: Generate signed build provenance attestations for workflow artifacts
         uses: actions/attest-build-provenance@v3

.goreleaser.yaml

@@ -9,7 +9,7 @@ builds:
   - env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID={{ .Env.OAUTH_CLIENT_ID }} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret={{ .Env.OAUTH_CLIENT_SECRET }}
     goos:
       - linux
       - windows

Dockerfile

@@ -1,5 +1,7 @@
 FROM golang:1.25.4-alpine AS build
 ARG VERSION="dev"
+ARG OAUTH_CLIENT_ID=""
+ARG OAUTH_CLIENT_SECRET=""
 
 # Set the working directory
 WORKDIR /build
@@ -13,7 +15,7 @@ RUN --mount=type=cache,target=/var/cache/apk \
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=bind,target=. \
-    CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+    CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=${OAUTH_CLIENT_ID} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=${OAUTH_CLIENT_SECRET}" \
     -o /bin/github-mcp-server cmd/github-mcp-server/main.go
 
 # Make a stage to run the app

cmd/github-mcp-server/main.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/github/github-mcp-server/internal/buildinfo"
 	"github.com/github/github-mcp-server/internal/ghmcp"
 	"github.com/github/github-mcp-server/internal/oauth"
 	"github.com/github/github-mcp-server/pkg/github"
@@ -72,9 +73,10 @@ var (
 			var oauthScopes []string
 			var prebuiltInventory *inventory.Inventory
 
-			// If no token provided, setup OAuth manager if configured
+			// If no token provided, setup OAuth manager
+			// Priority: 1. Explicit OAuth config, 2. Build-time credentials, 3. None
 			if token == "" {
-				oauthClientID := viper.GetString("oauth_client_id")
+				oauthClientID, oauthClientSecret := resolveOAuthCredentials()
 				if oauthClientID != "" {
 					// Get translation helper for inventory building
 					t, _ := translations.TranslationHelper()
@@ -87,7 +89,7 @@ var (
 					// Create OAuth manager for lazy authentication
 					oauthCfg := oauth.GetGitHubOAuthConfig(
 						oauthClientID,
-						viper.GetString("oauth_client_secret"),
+						oauthClientSecret,
 						oauthScopes,
 						viper.GetString("host"),
 						viper.GetInt("oauth_callback_port"),
@@ -274,3 +276,25 @@ func collectRequiredScopes(inv *inventory.Inventory) []string {
 
 	return scopes
 }
+
+// resolveOAuthCredentials returns OAuth client credentials using the following priority:
+// 1. Explicit configuration via flags/environment (--oauth-client-id, GITHUB_OAUTH_CLIENT_ID)
+// 2. Build-time baked credentials (for official releases)
+//
+// This allows developers to override with their own OAuth app while providing
+// a seamless "just works" experience for end users of official builds.
+func resolveOAuthCredentials() (clientID, clientSecret string) {
+	// Priority 1: Explicit user configuration
+	clientID = viper.GetString("oauth_client_id")
+	if clientID != "" {
+		return clientID, viper.GetString("oauth_client_secret")
+	}
+
+	// Priority 2: Build-time baked credentials
+	if buildinfo.HasOAuthCredentials() {
+		return buildinfo.OAuthClientID, buildinfo.OAuthClientSecret
+	}
+
+	// No OAuth credentials available
+	return "", ""
+}

docs/oauth-authentication.md

@@ -6,26 +6,80 @@ The GitHub MCP Server supports OAuth authentication for stdio mode, enabling int
 
 OAuth authentication allows users to authenticate with GitHub through their browser without pre-configuring a token. This is useful for:
 
+- **End users** who want authentication to "just work" without configuration
 - **Interactive sessions** where users want to authenticate on-demand
 - **Docker deployments** where tokens shouldn't be baked into images
 - **Multi-user scenarios** where each user authenticates individually
 
-## Configuration
+## How It Works
 
-### Required Environment Variables
+Official releases of the GitHub MCP Server include built-in OAuth credentials, providing a seamless authentication experience. When you run the server without a PAT configured, it will automatically prompt for OAuth authentication when a tool requires it.
+
+### Authentication Priority
+
+The server uses the following priority for authentication:
+
+1. **Personal Access Token** (GITHUB_PERSONAL_ACCESS_TOKEN) - Highest priority, explicit user choice
+2. **Explicit OAuth configuration** (--oauth-client-id flag/env) - Developer/power user override
+3. **Built-in OAuth credentials** - Default for official releases, "just works"
+4. **No authentication** - Warning displayed, tools will fail when called
+
+## Quick Start
+
+For most users, simply run the server without any configuration:
+
+```bash
+# Official releases include built-in OAuth - just run and authenticate when prompted
+./github-mcp-server stdio
+```
+
+The server will prompt for browser-based authentication when you first call a tool that requires GitHub access.
+
+## Developer Configuration
+
+Developers building from source or wanting to use their own OAuth app can provide credentials explicitly.
+
+### Environment Variables
 
 | Variable | Description | Required |
 |----------|-------------|----------|
-| `GITHUB_OAUTH_CLIENT_ID` | OAuth app client ID | Yes |
+| `GITHUB_OAUTH_CLIENT_ID` | OAuth app client ID | For custom OAuth apps |
 | `GITHUB_OAUTH_CLIENT_SECRET` | OAuth app client secret | Recommended |
 
-### Optional Flags
+### Command Line Flags
 
 | Flag | Environment Variable | Description |
 |------|---------------------|-------------|
+| `--oauth-client-id` | `GITHUB_OAUTH_CLIENT_ID` | Override OAuth app client ID |
+| `--oauth-client-secret` | `GITHUB_OAUTH_CLIENT_SECRET` | Override OAuth app client secret |
 | `--oauth-callback-port` | `GITHUB_OAUTH_CALLBACK_PORT` | Fixed port for OAuth callback (required for Docker with `-p` flag) |
 | `--oauth-scopes` | `GITHUB_OAUTH_SCOPES` | Custom OAuth scopes (comma-separated) |
 
+### Building with Custom OAuth Credentials
+
+When building from source, you can bake in your own OAuth credentials:
+
+```bash
+# Build with custom OAuth credentials
+go build -ldflags="-X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=your-client-id \
+  -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=your-client-secret" \
+  ./cmd/github-mcp-server
+
+# Or use environment variables during development
+export GITHUB_OAUTH_CLIENT_ID="your-client-id"
+export GITHUB_OAUTH_CLIENT_SECRET="your-client-secret"
+./github-mcp-server stdio
+```
+
+For Docker builds:
+
+```bash
+docker build \
+  --build-arg OAUTH_CLIENT_ID="your-client-id" \
+  --build-arg OAUTH_CLIENT_SECRET="your-client-secret" \
+  -t github-mcp-server .
+```
+
 ## Authentication Flows
 
 The server automatically selects the appropriate OAuth flow based on the environment:
@@ -52,18 +106,31 @@ Used when running in Docker or when a browser cannot be opened:
 
 ## Usage Examples
 
-### Local Binary
+### Local Binary (Official Release)
 
 ```bash
-# Set OAuth credentials
+# Official releases have built-in OAuth - just run!
+./github-mcp-server stdio
+# Authentication will be prompted when a tool is called
+```
+
+### Local Binary (Custom OAuth)
+
+```bash
+# Override with your own OAuth app
 export GITHUB_OAUTH_CLIENT_ID="your-client-id"
 export GITHUB_OAUTH_CLIENT_SECRET="your-client-secret"
-
-# Run without PAT - OAuth will trigger when tools are called
 ./github-mcp-server stdio
 ```
 
-### Docker (with Device Flow)
+### Docker (Official Image)
+
+```bash
+# Official images have built-in OAuth - just run!
+docker run -i --rm ghcr.io/github/github-mcp-server stdio
+```
+
+### Docker (with Custom OAuth)
 
 ```bash
 docker run -i --rm \
@@ -77,8 +144,6 @@ docker run -i --rm \
 ```bash
 docker run -i --rm \
   --network=host \
-  -e GITHUB_OAUTH_CLIENT_ID="your-client-id" \
-  -e GITHUB_OAUTH_CLIENT_SECRET="your-client-secret" \
   ghcr.io/github/github-mcp-server stdio --oauth-callback-port=8085
 ```
 
@@ -91,8 +156,6 @@ docker run -i --rm \
       "command": "docker",
       "args": [
         "run", "-i", "--rm",
-        "-e", "GITHUB_OAUTH_CLIENT_ID=your-client-id",
-        "-e", "GITHUB_OAUTH_CLIENT_SECRET=your-client-secret",
         "ghcr.io/github/github-mcp-server",
         "stdio"
       ],

internal/buildinfo/buildinfo.go

@@ -0,0 +1,31 @@
+// Package buildinfo contains build-time injected values.
+//
+// These values are set via -ldflags during the build process.
+// For example:
+//
+//	go build -ldflags="-X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=xxx"
+//
+// The OAuth credentials are used as default values for stdio mode when no
+// PAT or explicit OAuth configuration is provided. This enables a "just works"
+// experience for most users while still allowing developer overrides.
+//
+// Note: These credentials are intentionally baked into the binary. While they
+// can be reverse-engineered, this provides a barrier against trivial cloning
+// and establishes clear provenance for the official GitHub MCP Server.
+package buildinfo
+
+// OAuthClientID is the default GitHub OAuth App Client ID.
+// Set at build time via -ldflags for official releases.
+// Empty string means no default OAuth credentials are available.
+var OAuthClientID string
+
+// OAuthClientSecret is the default GitHub OAuth App Client Secret.
+// Set at build time via -ldflags for official releases.
+// While called a "secret", OAuth client secrets in native apps cannot truly
+// be kept secret and are considered public per RFC 8252.
+var OAuthClientSecret string
+
+// HasOAuthCredentials returns true if build-time OAuth credentials are available.
+func HasOAuthCredentials() bool {
+	return OAuthClientID != ""
+}