Comparing 3422703...4f73cfd · github/github-mcp-server · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: github/github-mcp-server
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3422703
Choose a base ref
...
head repository: github/github-mcp-server
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 4f73cfd
Choose a head ref
  • 12 commits
  • 62 files changed
  • 13 contributors

Commits on Jun 15, 2026

  1. fix(repos): default create_repository to private when visibility omit…

    …ted (#2694)
    
    Previously, omitting the `private` parameter on create_repository
    defaulted the new repository to public, an insecure default that could
    unintentionally expose code, configuration, and history. Omission now
    defaults to a private repository; public repositories are only created
    when `private` is explicitly set to false.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    SamMorrowDrums and Copilot authored Jun 15, 2026
    Configuration menu
    Copy the full SHA
    b879ca2 View commit details
    Browse the repository at this point in the history
  2. Add explicit show_ui parameter to UI-enabled write tools (#2601)

    * Add explicit show_ui parameter to UI-enabled write tools
    
    Today the server decides whether to route issue_write and create_pull_request
    through the MCP App form using two implicit signals: _ui_submitted (set by
    the form on submit) and a heuristic that bypasses the form when the call
    carries any parameter the form cannot represent (labels, assignees,
    issue_fields, state, reviewers, etc.). The model had no first-class,
    documented way to say "execute directly, do not show a form".
    
    Add a show_ui boolean parameter to the input schema of IssueWrite,
    LegacyIssueWrite, and CreatePullRequest. It defaults to true and is
    visible only to clients that advertise MCP App UI support: the strip
    happens per-request in inventory.ToolsForRegistration via a new
    stripUIOnlySchemaProperties helper, gated by the same predicate that
    already strips _meta.ui (shouldStripMCPAppsMetadata). The two strips share
    one decision so the schema and metadata stay in lock-step.
    
    Form-routing predicate becomes:
    
        MCPApps FF on && client supports UI &&
        !_ui_submitted && show_ui && !hasNonFormParams
    
    show_ui=false is a new explicit way for the model to opt out. The existing
    non-form-param auto-bypass stays as a safety net, and the React forms keep
    sending _ui_submitted=true on submit unchanged. get_me is out of scope
    because its UI is pure client-side card rendering with no server-side
    gating to replace.
    
    The current strip gate ("strip when FF is off OR capability explicitly
    absent") mirrors today's _meta.ui behavior exactly, including the
    "capability unknown" case. For stdio that means UI-capable schemas are
    exposed to any FF-enabled client. The handler-side clientSupportsUI check
    still gates form execution at call time, so it is functionally a no-op for
    non-UI stdio clients. A separate follow-up will tighten the gate to
    "strip on unknown too" and wire an InitializedHandler in stdio to
    re-register the un-stripped surface only after a UI-capable client has
    advertised; the two changes must ship together to avoid breaking stdio.
    
    docs/feature-flags.md and docs/insiders-features.md include an unrelated
    "reviewers" description update picked up by script/generate-docs from
    commit 2bd162a ("fix: support team pull request reviewers"), which
    updated the source schema but did not regenerate docs.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Clarify where show_ui appears in generated docs
    
    The code comments next to the show_ui schema entries (and the
    uiOnlySchemaProperties allowlist) said the property is documented in
    "toolsnaps / README". README is generated from the stripped (non-UI)
    schema, so show_ui is not actually in it — it only appears in toolsnaps
    and the feature-flag / insiders docs. Reword the comments to match
    reality.
    
    Comment-only change; no behavior or test impact.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Guard issue_write/create_pull_request schemas against UI-gating desync
    
    The form-routing logic depends on a hand-maintained classification of
    each schema property into form-resendable vs known-non-form. A new
    property added without updating the classification would silently shift
    UI gating behavior (e.g. a form-incompatible param wouldn't trigger the
    safety-net bypass).
    
    Add Test_issueWriteSchemaClassification and Test_createPullRequestSchemaClassification
    that enumerate each tool's InputSchema.Properties and require every
    property to be classified as exactly one of:
      - form-resendable (member of issueWriteFormParams / pullRequestWriteFormParams)
      - known-non-form (test-local allowlist)
    
    A future schema addition without classification fails the test with a
    message pointing at the exact set the contributor needs to update.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Mark conditional schema parameters in generated docs
    
    Previously `show_ui` was listed in docs/feature-flags.md and
    docs/insiders-features.md alongside ordinary parameters with no
    indication that it is hidden from clients without MCP App UI support.
    A reader scanning the parameter list would assume it is always available.
    
    Add a programmatic conditional-property mechanism:
    
    - `inventory.ConditionalSchemaPropertyDescriptions()` exposes a
      map[propertyName]conditionDescription derived from the same
      uiOnlySchemaProperties allowlist that drives the per-request strip
      in ToolsForRegistration. Single source of truth.
    - The doc generator (writeToolDoc) consults this map and appends
      "conditional — <description>" to the parameter's parenthesised
      type/required suffix.
    
    Example rendered output:
    
      - `show_ui`: Whether to render the MCP App form... (boolean, optional,
        conditional — only visible to clients that advertise MCP App UI support)
    
    A small test (TestConditionalSchemaPropertyDescriptions) ensures every
    entry in uiOnlySchemaProperties has a description, so a future stripped
    property addition can't silently lose its doc marker.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Potential fix for pull request finding
    
    Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
    Co-authored-by: Sam Morrow <sammorrowdrums@github.com>
    4 people authored Jun 15, 2026
    Configuration menu
    Copy the full SHA
    d27540f View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    909235e View commit details
    Browse the repository at this point in the history

Commits on Jun 16, 2026

  1. Configuration menu
    Copy the full SHA
    308ae5b View commit details
    Browse the repository at this point in the history
  2. build(deps): bump golang from cd2fb35 to 8d95af5 (#2699)

    Bumps golang from `cd2fb35` to `8d95af5`.
    
    ---
    updated-dependencies:
    - dependency-name: golang
      dependency-version: 1.25.11-alpine
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jun 16, 2026
    Configuration menu
    Copy the full SHA
    de9aee0 View commit details
    Browse the repository at this point in the history
  3. build(deps): bump distroless/base-debian12 from 58695f4 to e7e678c (

    #2698)
    
    Bumps distroless/base-debian12 from `58695f4` to `e7e678c`.
    
    ---
    updated-dependencies:
    - dependency-name: distroless/base-debian12
      dependency-version: e7e678c88c59e70e105a46549bb3fbfb3d732ee3b4afd3a19fdab2e15afaa6b3
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jun 16, 2026
    Configuration menu
    Copy the full SHA
    117bace View commit details
    Browse the repository at this point in the history
  4. build(deps): bump node from 144769e to 3ad34ca (#2697)

    Bumps node from `144769e` to `3ad34ca`.
    
    ---
    updated-dependencies:
    - dependency-name: node
      dependency-version: 26-alpine
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jun 16, 2026
    Configuration menu
    Copy the full SHA
    6586b84 View commit details
    Browse the repository at this point in the history
  5. MCP Apps with extra functionality (#1974)

    * PoC full flow (hello world example)
    
    * add avatar resource domain
    
    * add postmessage logic and richer UI
    
    * add create issue ui
    
    * update ui for issue creatioon
    
    * fix
    
    * ignore banner
    
    * update docs after rebase
    
    * update toolsnap for get_me
    
    * new UI changes
    
    * update docs
    
    * update workflows that need ui build
    
    * add UI diff
    
    * fix build ui step for windows runners to use git bash
    
    * fix UI diff
    
    * refactor issue creation UI
    
    * add AvatarWithFallback component and update UserCard to use it; enhance CreateIssueApp to manage existing issue data
    
    * fix formatting of button labels
    
    * add create pull request functionality with UI support and insiders
    
    * update docs
    
    * add test for insiders mode handling in ServerTool schema
    
    * remove `show_ui` param for now
    
    * make insiders mode metadata stripping generic
    
    * remove ui diff
    
    * fix CI
    
    * remove redundant mention of old app name
    
    * add node types to fix ide issues for ts code
    
    * remove unused TriangleDownIcon import
    
    * update @primer/behaviors and electron-to-chromium versions in package-lock.json
    
    * add check to ensure base and head are not the same when creating a new PR
    
    * remove old show_ui
    
    * fix gitignore for dist so builds dont break
    
    * add tests for insiders mode handling and metadata stripping in ServerTool
    
    * remove unused state and components from CreatePRApp
    
    * fix ui build
    
    * update docker build to fix npm issue
    
    * remove reference to show_ui
    
    * allow insiders to work for non-ui features
    
    * formalise insiders inventory support
    
    * update docs
    
    * fix overflow issues and replace pull request dropdown with matching UI from dotcom
    
    * fix createpullrequest test
    
    * consolidate fetching tools under `ui_get` tool to remove toolset deps
    
    * fix issue data prefill in issue_write form
    
    * fix link component when updating issue
    
    * fix avatar URL
    
    * fix broken issue update logic
    
    * remove dbg
    
    * fix for new GetFlags
    
    * revert to original required fields for create_pull_request
    
    * fix for UI form submission
    
    * Simplify MCP App UIs for basic branch
    
    Remove advanced features to be kept in mcp-ui-apps-advanced:
    - Strip labels, assignees, milestones, issue types, repo picker from issue-write
    - Strip repo picker, branch selectors from pr-write
    - Delete ui_get tool (ui_tools.go, ui_tools_test.go, ui_get.snap)
    - Remove UIGet registration from tools.go
    
    Basic forms retain: title, body, submit with _ui_submitted,
    draft/regular split button (PR), MarkdownEditor, and SuccessView.
    
    * Fix header spacing in issue-write and pr-write UIs
    
    Add proper spacing between icon, title text, and repo name in the
    header bar for both issue-write and create-pull-request forms.
    
    * fix UI spacing
    
    * Revert "Simplify MCP App UIs for basic branch"
    
    This reverts commit 24174b9.
    
    * Undo dependency downgrades in ui/package-lock.json
    
    * Update ui/src/apps/pr-write/App.tsx
    
    Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
    
    * Update ui/src/apps/issue-write/App.tsx
    
    Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
    
    * Implement pagination for uiGetBranches (#2012)
    
    * Initial plan
    
    * Implement pagination for uiGetBranches function
    
    Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
    Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com>
    
    * update to new insiders feature flag func
    
    * ensure transient state is reset on successive tool calls
    
    * Mark ui_get as app-only visibility
    
    ui_get backs only the MCP App views and has no business in the agent's
    tool list. Per the MCP Apps 2026-01-26 spec, omitting _meta.ui.visibility
    defaults to ["model","app"], which exposes the tool to the model. Declare
    visibility ["app"] so the host hides it from tools/list while the views can
    still invoke it via tools/call.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Update ui_get toolsnap for app-only visibility
    
    Regenerated via UPDATE_TOOLSNAPS to capture the new _meta.ui.visibility.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Assert ui_get declares app-only visibility
    
    Locks in the _meta.ui.visibility ["app"] contract so a future edit can't
    silently re-expose the UI data tool to the model.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Add ui_get to insiders feature docs
    
    Regenerated docs/feature-flags.md and docs/insiders-features.md to include
    the ui_get tool entry.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address ui_get review feedback
    
    - Paginate the labels GraphQL query (cursor-based) so repos with more than
      100 labels return a complete list instead of silently truncating.
    - Emit an empty due_on for milestones without a due date instead of
      formatting the zero time as "0001-01-01".
    - Use NewGitHubAPIErrorResponse in uiGetIssueTypes to preserve GitHub
      response context, matching the other REST-backed methods.
    - Extend tests to cover the labels (GraphQL), milestones (including the
      no-due-date case) and issue_types methods, plus the issue_types error path.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Fix repo reset and stale base-branch in MCP App views
    
    - Re-initialize selectedRepo from toolInput inside the reset-on-invocation
      effect instead of a separate effect. The two effects both depended on
      toolInput and ran in declaration order, so the reset wiped the just-
      initialized repo and the picker never reflected the invocation's owner/repo.
    - Set the default base branch with a functional update in pr-write so a base
      prefilled from toolInput.base (or chosen by the user) isn't overwritten by
      a stale baseBranch value captured before the branches request resolved.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Potential fix for pull request finding
    
    Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
    
    * Fix issue-write repo owner mapping and clear stale UI state on reset
    
    - issue-write: derive owner/name from full_name since search_repositories
      minimal output omits the owner object (mirrors pr-write)
    - pr-write/issue-write: clear available branch/label/assignee/milestone/type
      lists and filters in the toolInput reset effect so prefill effects can't
      match against the previous repo's stale data
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Merge remote-tracking branch 'origin/main' into mcp-ui-apps-advanced
    
    * feat: add pull request editing functionality with reviewers support
    
    * feat: implement interactive form handling for issue and pull request creation and updates
    
    * Close response body per page in ui_get pagination loops
    
    Avoids leaking HTTP connections when paging through assignees,
    milestones, branches, collaborators, and teams.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Cache pr-edit.html in build-ui action
    
    The build-ui cache only saved get-me/issue-write/pr-write HTML, so once a
    cache entry was stored it restored an incomplete ui_dist on later runs and
    skipped the rebuild, leaving pr-edit.html absent and panicking the tests.
    Add pr-edit.html to the cached paths and bump the cache key to v2 to evict
    the incomplete entries.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: tommaso-moro <tommaso-moro@github.com>
    Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
    Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    5 people authored Jun 16, 2026
    Configuration menu
    Copy the full SHA
    4e8eb81 View commit details
    Browse the repository at this point in the history

Commits on Jun 17, 2026

  1. Configuration menu
    Copy the full SHA
    667bd3e View commit details
    Browse the repository at this point in the history
  2. Add tool for getting code quality findings (#2604)

    Co-authored-by: Sam Morrow <info@sam-morrow.com>
    koesie10 and SamMorrowDrums authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    f9a4dc5 View commit details
    Browse the repository at this point in the history
  3. Change confidence enum to use uppercase values to match GraphQL schema (

    #2715)
    
    * Fix enum values to match those expected by gql
    
    * Update test
    
    * Update doc and snaps
    
    * Normalize lower case confidence values
    
    ---------
    
    Co-authored-by: Ross Tarrant <rosstarrant@github.com>
    reneexeener and RossTarrant authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    6830c4d View commit details
    Browse the repository at this point in the history
  4. Add repo-scoped support to list_issue_types tool (#2692)

    * Add repo-scoped support to list_issue_types tool
    
    * Render multi-scope tools as "any of" in generated docs
    
    * Clarify issue type field description for repo-scoped list_issue_types
    kelsey-myers authored Jun 17, 2026
    Configuration menu
    Copy the full SHA
    4f73cfd View commit details
    Browse the repository at this point in the history
Loading