build(oauth): bake in default OAuth credentials for official releases (3/4)#2711
Draft
SamMorrowDrums wants to merge 1 commit into
Draft
build(oauth): bake in default OAuth credentials for official releases (3/4)#2711SamMorrowDrums wants to merge 1 commit into
SamMorrowDrums wants to merge 1 commit into
Conversation
Inject the public OAuth client credentials (stored as the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET repo secrets) at build time via -ldflags so official binaries and images ship a working default app for zero-config login. Security relies on PKCE, not on the secret. Local/dev builds leave the values empty and continue to require an explicit token or --oauth-client-id. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR (part 3/4 of the OAuth-over-stdio stack) wires build/release plumbing to allow official GitHub MCP Server binaries and container images to ship with a default OAuth client (injected at build time), while keeping local/dev builds credential-free.
Changes:
- Add
internal/buildinfoldflags-injected variables (OAuthClientID/OAuthClientSecret) to support baked-in OAuth credentials for official builds. - Update
cmd/github-mcp-serverstdio startup to fall back to baked-in OAuth credentials only for the default host (github.com) when not configured explicitly. - Update Docker + GoReleaser + GitHub Actions release workflows to inject OAuth credentials at build time (including BuildKit secrets for Docker).
Show a summary per file
| File | Description |
|---|---|
internal/buildinfo/buildinfo.go |
Introduces build-time variables for default OAuth credentials. |
cmd/github-mcp-server/main.go |
Applies baked-in OAuth credentials as a fallback for github.com when not explicitly configured. |
Dockerfile |
Injects OAuth credentials during Docker builds via BuildKit secrets and ldflags. |
.goreleaser.yaml |
Adds ldflags to embed OAuth credentials into official release binaries via env-provided values. |
.github/workflows/goreleaser.yml |
Exposes OAuth secrets to GoReleaser release jobs. |
.github/workflows/docker-publish.yml |
Passes OAuth secrets into Docker builds via build-push-action secrets. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 2
Comment on lines
+30
to
+34
| --mount=type=secret,id=oauth_client_id \ | ||
| --mount=type=secret,id=oauth_client_secret \ | ||
| export OAUTH_CLIENT_ID="$(cat /run/secrets/oauth_client_id 2>/dev/null || echo '')" && \ | ||
| export OAUTH_CLIENT_SECRET="$(cat /run/secrets/oauth_client_secret 2>/dev/null || echo '')" && \ | ||
| CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientID=${OAUTH_CLIENT_ID} -X github.com/github/github-mcp-server/internal/buildinfo.OAuthClientSecret=${OAUTH_CLIENT_SECRET}" \ |
Comment on lines
+47
to
+50
| if oauthClientID == "" && viper.GetString("host") == "" { | ||
| oauthClientID = buildinfo.OAuthClientID | ||
| oauthClientSecret = buildinfo.OAuthClientSecret | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 3 of 4 of the OAuth-over-stdio stack. Stacked on #2710 (PR 2/4). Replaces the build/release portion of #1836.
What this does
Lets official binaries and container images ship a working default OAuth app so users can
oauthlog in with zero config, while local/dev builds stay credential-free.internal/buildinfo: two ldflags-set vars,OAuthClientID/OAuthClientSecret. Empty in local/dev builds.cmd/github-mcp-server/main.go: when no--oauth-client-idis configured and no custom--gh-hostis set, fall back to the baked-in client. Inline (no helper), and guarded to github.com only — GHES/ghe.com (Proxima) users must bring their own app, since the baked-in app is registered on github.com and would otherwise point at the wrong auth server.Dockerfile: credentials injected via--mount=type=secret(kept out of image layers) and applied through the same ldflags..goreleaser.yaml+goreleaser.yml+docker-publish.yml: pass the existingOAUTH_CLIENT_ID/OAUTH_CLIENT_SECRETrepo secrets into the release/build jobs.Security
These are public credentials in the OAuth 2.1 sense — security comes from PKCE, not from the client secret (same model as the GitHub CLI). They are still injected at build time rather than committed, and kept out of Docker layer history via build secrets. The ephemeral user token remains in-memory only (PR 1/2).
Validation
go build ./...·script/lint(0 issues) ·script/test(race, full suite) all green. No new dependencies.