DIFC proxy does not pass GITHUB_SERVER_URL to container — breaks GHEC integrity filtering #23274
Description
Problem
The DIFC proxy (start_difc_proxy.sh) does not pass GITHUB_SERVER_URL to the mcpg proxy container. This means the proxy cannot determine the correct upstream GitHub API endpoint on GHEC (.ghe.com) tenants.
The MCP gateway already handles this correctly — it passes -e GITHUB_SERVER_URL to the container (mcp_setup_generator.go:641). The DIFC proxy uses the same container image but omits this env var.
Current behavior
# start_difc_proxy.sh L37-48
docker run -d --name awmg-proxy --network host \
-e GH_TOKEN \
-e DEBUG='*' \
...
"$CONTAINER_IMAGE" proxy ...Only GH_TOKEN and DEBUG are passed. On GHEC, the proxy has no way to know the upstream API should be api.TENANT.ghe.com instead of api.github.com.
Expected behavior
The proxy container should receive GITHUB_SERVER_URL so it can route upstream requests to the correct enterprise API:
docker run -d --name awmg-proxy --network host \
-e GH_TOKEN \
-e GITHUB_SERVER_URL \ # ← route to correct upstream
-e DEBUG='*' \
...Impact
- GHEC workflows with DIFC guards: Integrity filtering on pre-agent
ghCLI andactions/github-scriptsteps silently fails or routes to the wrong API - github.com workflows: Unaffected (proxy defaults to
api.github.com)
Root cause
Two files need changes:
1. actions/setup/sh/start_difc_proxy.sh
Add -e GITHUB_SERVER_URL to the docker run command (L37):
docker run -d --name awmg-proxy --network host \
-e GH_TOKEN \
-e GITHUB_SERVER_URL \
-e DEBUG='*' \
...2. pkg/workflow/compiler_difc_proxy.go
The compiler generates the DIFC proxy step in buildStartDIFCProxyStepYAML(). Currently (L210-218) it only sets GH_TOKEN in the step env:
sb.WriteString(" - name: Start DIFC proxy for pre-agent gh calls\n")
sb.WriteString(" env:\n")
fmt.Fprintf(&sb, " GH_TOKEN: %s\n", effectiveToken)The shell script receives GITHUB_SERVER_URL from the runner environment automatically (it is a standard GitHub Actions context variable), so the compiler change is not strictly required — the script inherits it. However, for consistency with the gateway (which explicitly passes it), consider documenting this dependency.
Comparison with gateway
The gateway already handles GHEC correctly in mcp_setup_generator.go:
// L640-641
containerCmd.WriteString(" -e GITHUB_REPOSITORY")
containerCmd.WriteString(" -e GITHUB_SERVER_URL") // ← gateway passes thisAnd the guard policy renderer sets GITHUB_HOST from $GITHUB_SERVER_URL (mcp_renderer_github.go:163).
Dependencies
This fix depends on the mcpg proxy mode supporting GITHUB_SERVER_URL for upstream routing. A corresponding issue should be filed in github/gh-aw-mcpg if the proxy mode does not already use this env var.
Notes
- The hardcoded proxy-local paths (
GITHUB_API_URL=https://localhost:18443/api/v3,GITHUB_GRAPHQL_URL=https://localhost:18443/api/graphql) instart_difc_proxy.share correct — these are the proxy's local listener paths, not the upstream paths - The
/api/v3and/api/graphqlpath structure is the same on both github.com and GHEC - The health check at
https://localhost:18443/api/v3/healthshould also work regardless of upstream