Skip to content

feat(auth): add custom github app authentication with automatic token refresh#2906

Open
alcoholmajuu wants to merge 1 commit into
github:mainfrom
alcoholmajuu:feat/github-app-auth
Open

feat(auth): add custom github app authentication with automatic token refresh#2906
alcoholmajuu wants to merge 1 commit into
github:mainfrom
alcoholmajuu:feat/github-app-auth

Conversation

@alcoholmajuu

@alcoholmajuu alcoholmajuu commented Jul 18, 2026

Copy link
Copy Markdown

Summary

Adds custom GitHub App (Server-to-Server) authentication support with automatic token refresh and retry mechanisms for the local (stdio) MCP server.

Why

This change is needed to allow the MCP server to run securely as a GitHub App installation in automated, CI/CD, or enterprise environments without relying on Personal Access Tokens (PATs) or interactive OAuth logins.

What changed

  • Added NewGitHubAppTokenSource in pkg/utils/github_app.go to support automatic JWT signing and installation access token requests.
  • Integrated go-resty/resty/v2 with exponential backoff retries for 5xx/429/network errors.
  • Refactored cmd/github-mcp-server/main.go to expose App ID, Installation ID, and Private Key configuration CLI flags and environment variables.
  • Standardized configuration pipelines (internal/ghmcp/server.go, pkg/http/server.go, pkg/github/dependencies.go) to consume standard oauth2.TokenSource.
  • Added unit tests in pkg/utils/github_app_test.go and documented configurations in README.md.

MCP impact

  • No tool or API changes
    • No new MCP tools or tool schema changes were introduced; this only changes the authentication backend configuration.
  • Tool schema or behavior changed
  • New tool added

Prompts tested (tool changes only)

N/A - No tool changes

Security / limits

  • No security or limits impact
  • Auth / permissions considered
    • Introduces secure Server-to-Server App token source, generating short-lived installation access tokens in-memory.
  • Data exposure, filtering, or token/size limits considered
    • The App private key is parsed and validated at startup to fail-fast. Active token is cached safely with thread-safe synchronization.

Tool renaming

  • I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
  • I am not renaming tools as part of this PR

Lint & tests

  • Linted locally with ./script/lint
    • Manually checked the static analysis warnings and ran build verification locally.
  • Tested locally with ./script/test
    • Wrote new unit tests inside github_app_test.go and verified they pass alongside existing test suites.

Docs

  • Not needed
  • Updated (README / docs / examples)
    • Updated the Local Server Authentication section in README.md to document the new GitHub App configurations.

@alcoholmajuu
alcoholmajuu force-pushed the feat/github-app-auth branch from 5ee150e to 052b607 Compare July 18, 2026 18:08
@alcoholmajuu
alcoholmajuu marked this pull request as ready for review July 18, 2026 18:19
@alcoholmajuu
alcoholmajuu requested a review from a team as a code owner July 18, 2026 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant