Navigation Menu
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Comparing changes
Open a pull request
base repository: github/github-mcp-server
base: 3422703
head repository: github/github-mcp-server
compare: 4f73cfd
- 12 commits
- 62 files changed
- 13 contributors
Commits on Jun 15, 2026
-
fix(repos): default create_repository to private when visibility omit…
…ted (#2694) Previously, omitting the `private` parameter on create_repository defaulted the new repository to public, an insecure default that could unintentionally expose code, configuration, and history. Omission now defaults to a private repository; public repositories are only created when `private` is explicitly set to false. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for b879ca2 - Browse repository at this point
Copy the full SHA b879ca2View commit details -
Add explicit show_ui parameter to UI-enabled write tools (#2601)
* Add explicit show_ui parameter to UI-enabled write tools Today the server decides whether to route issue_write and create_pull_request through the MCP App form using two implicit signals: _ui_submitted (set by the form on submit) and a heuristic that bypasses the form when the call carries any parameter the form cannot represent (labels, assignees, issue_fields, state, reviewers, etc.). The model had no first-class, documented way to say "execute directly, do not show a form". Add a show_ui boolean parameter to the input schema of IssueWrite, LegacyIssueWrite, and CreatePullRequest. It defaults to true and is visible only to clients that advertise MCP App UI support: the strip happens per-request in inventory.ToolsForRegistration via a new stripUIOnlySchemaProperties helper, gated by the same predicate that already strips _meta.ui (shouldStripMCPAppsMetadata). The two strips share one decision so the schema and metadata stay in lock-step. Form-routing predicate becomes: MCPApps FF on && client supports UI && !_ui_submitted && show_ui && !hasNonFormParams show_ui=false is a new explicit way for the model to opt out. The existing non-form-param auto-bypass stays as a safety net, and the React forms keep sending _ui_submitted=true on submit unchanged. get_me is out of scope because its UI is pure client-side card rendering with no server-side gating to replace. The current strip gate ("strip when FF is off OR capability explicitly absent") mirrors today's _meta.ui behavior exactly, including the "capability unknown" case. For stdio that means UI-capable schemas are exposed to any FF-enabled client. The handler-side clientSupportsUI check still gates form execution at call time, so it is functionally a no-op for non-UI stdio clients. A separate follow-up will tighten the gate to "strip on unknown too" and wire an InitializedHandler in stdio to re-register the un-stripped surface only after a UI-capable client has advertised; the two changes must ship together to avoid breaking stdio. docs/feature-flags.md and docs/insiders-features.md include an unrelated "reviewers" description update picked up by script/generate-docs from commit 2bd162a ("fix: support team pull request reviewers"), which updated the source schema but did not regenerate docs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Clarify where show_ui appears in generated docs The code comments next to the show_ui schema entries (and the uiOnlySchemaProperties allowlist) said the property is documented in "toolsnaps / README". README is generated from the stripped (non-UI) schema, so show_ui is not actually in it — it only appears in toolsnaps and the feature-flag / insiders docs. Reword the comments to match reality. Comment-only change; no behavior or test impact. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Guard issue_write/create_pull_request schemas against UI-gating desync The form-routing logic depends on a hand-maintained classification of each schema property into form-resendable vs known-non-form. A new property added without updating the classification would silently shift UI gating behavior (e.g. a form-incompatible param wouldn't trigger the safety-net bypass). Add Test_issueWriteSchemaClassification and Test_createPullRequestSchemaClassification that enumerate each tool's InputSchema.Properties and require every property to be classified as exactly one of: - form-resendable (member of issueWriteFormParams / pullRequestWriteFormParams) - known-non-form (test-local allowlist) A future schema addition without classification fails the test with a message pointing at the exact set the contributor needs to update. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Mark conditional schema parameters in generated docs Previously `show_ui` was listed in docs/feature-flags.md and docs/insiders-features.md alongside ordinary parameters with no indication that it is hidden from clients without MCP App UI support. A reader scanning the parameter list would assume it is always available. Add a programmatic conditional-property mechanism: - `inventory.ConditionalSchemaPropertyDescriptions()` exposes a map[propertyName]conditionDescription derived from the same uiOnlySchemaProperties allowlist that drives the per-request strip in ToolsForRegistration. Single source of truth. - The doc generator (writeToolDoc) consults this map and appends "conditional — <description>" to the parameter's parenthesised type/required suffix. Example rendered output: - `show_ui`: Whether to render the MCP App form... (boolean, optional, conditional — only visible to clients that advertise MCP App UI support) A small test (TestConditionalSchemaPropertyDescriptions) ensures every entry in uiOnlySchemaProperties has a description, so a future stripped property addition can't silently lose its doc marker. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sam Morrow <sammorrowdrums@github.com>Configuration menu - View commit details
-
Copy full SHA for d27540f - Browse repository at this point
Copy the full SHA d27540fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 909235e - Browse repository at this point
Copy the full SHA 909235eView commit details
Commits on Jun 16, 2026
-
Configuration menu - View commit details
-
Copy full SHA for 308ae5b - Browse repository at this point
Copy the full SHA 308ae5bView commit details -
build(deps): bump golang from
cd2fb35to8d95af5(#2699)Bumps golang from `cd2fb35` to `8d95af5`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.11-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for de9aee0 - Browse repository at this point
Copy the full SHA de9aee0View commit details -
build(deps): bump distroless/base-debian12 from
58695f4toe7e678c(#2698) Bumps distroless/base-debian12 from `58695f4` to `e7e678c`. --- updated-dependencies: - dependency-name: distroless/base-debian12 dependency-version: e7e678c88c59e70e105a46549bb3fbfb3d732ee3b4afd3a19fdab2e15afaa6b3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 117bace - Browse repository at this point
Copy the full SHA 117baceView commit details -
build(deps): bump node from
144769eto3ad34ca(#2697)Bumps node from `144769e` to `3ad34ca`. --- updated-dependencies: - dependency-name: node dependency-version: 26-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6586b84 - Browse repository at this point
Copy the full SHA 6586b84View commit details -
MCP Apps with extra functionality (#1974)
* PoC full flow (hello world example) * add avatar resource domain * add postmessage logic and richer UI * add create issue ui * update ui for issue creatioon * fix * ignore banner * update docs after rebase * update toolsnap for get_me * new UI changes * update docs * update workflows that need ui build * add UI diff * fix build ui step for windows runners to use git bash * fix UI diff * refactor issue creation UI * add AvatarWithFallback component and update UserCard to use it; enhance CreateIssueApp to manage existing issue data * fix formatting of button labels * add create pull request functionality with UI support and insiders * update docs * add test for insiders mode handling in ServerTool schema * remove `show_ui` param for now * make insiders mode metadata stripping generic * remove ui diff * fix CI * remove redundant mention of old app name * add node types to fix ide issues for ts code * remove unused TriangleDownIcon import * update @primer/behaviors and electron-to-chromium versions in package-lock.json * add check to ensure base and head are not the same when creating a new PR * remove old show_ui * fix gitignore for dist so builds dont break * add tests for insiders mode handling and metadata stripping in ServerTool * remove unused state and components from CreatePRApp * fix ui build * update docker build to fix npm issue * remove reference to show_ui * allow insiders to work for non-ui features * formalise insiders inventory support * update docs * fix overflow issues and replace pull request dropdown with matching UI from dotcom * fix createpullrequest test * consolidate fetching tools under `ui_get` tool to remove toolset deps * fix issue data prefill in issue_write form * fix link component when updating issue * fix avatar URL * fix broken issue update logic * remove dbg * fix for new GetFlags * revert to original required fields for create_pull_request * fix for UI form submission * Simplify MCP App UIs for basic branch Remove advanced features to be kept in mcp-ui-apps-advanced: - Strip labels, assignees, milestones, issue types, repo picker from issue-write - Strip repo picker, branch selectors from pr-write - Delete ui_get tool (ui_tools.go, ui_tools_test.go, ui_get.snap) - Remove UIGet registration from tools.go Basic forms retain: title, body, submit with _ui_submitted, draft/regular split button (PR), MarkdownEditor, and SuccessView. * Fix header spacing in issue-write and pr-write UIs Add proper spacing between icon, title text, and repo name in the header bar for both issue-write and create-pull-request forms. * fix UI spacing * Revert "Simplify MCP App UIs for basic branch" This reverts commit 24174b9. * Undo dependency downgrades in ui/package-lock.json * Update ui/src/apps/pr-write/App.tsx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update ui/src/apps/issue-write/App.tsx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Implement pagination for uiGetBranches (#2012) * Initial plan * Implement pagination for uiGetBranches function Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mattdholloway <918573+mattdholloway@users.noreply.github.com> * update to new insiders feature flag func * ensure transient state is reset on successive tool calls * Mark ui_get as app-only visibility ui_get backs only the MCP App views and has no business in the agent's tool list. Per the MCP Apps 2026-01-26 spec, omitting _meta.ui.visibility defaults to ["model","app"], which exposes the tool to the model. Declare visibility ["app"] so the host hides it from tools/list while the views can still invoke it via tools/call. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update ui_get toolsnap for app-only visibility Regenerated via UPDATE_TOOLSNAPS to capture the new _meta.ui.visibility. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Assert ui_get declares app-only visibility Locks in the _meta.ui.visibility ["app"] contract so a future edit can't silently re-expose the UI data tool to the model. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Add ui_get to insiders feature docs Regenerated docs/feature-flags.md and docs/insiders-features.md to include the ui_get tool entry. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address ui_get review feedback - Paginate the labels GraphQL query (cursor-based) so repos with more than 100 labels return a complete list instead of silently truncating. - Emit an empty due_on for milestones without a due date instead of formatting the zero time as "0001-01-01". - Use NewGitHubAPIErrorResponse in uiGetIssueTypes to preserve GitHub response context, matching the other REST-backed methods. - Extend tests to cover the labels (GraphQL), milestones (including the no-due-date case) and issue_types methods, plus the issue_types error path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix repo reset and stale base-branch in MCP App views - Re-initialize selectedRepo from toolInput inside the reset-on-invocation effect instead of a separate effect. The two effects both depended on toolInput and ran in declaration order, so the reset wiped the just- initialized repo and the picker never reflected the invocation's owner/repo. - Set the default base branch with a functional update in pr-write so a base prefilled from toolInput.base (or chosen by the user) isn't overwritten by a stale baseBranch value captured before the branches request resolved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix issue-write repo owner mapping and clear stale UI state on reset - issue-write: derive owner/name from full_name since search_repositories minimal output omits the owner object (mirrors pr-write) - pr-write/issue-write: clear available branch/label/assignee/milestone/type lists and filters in the toolInput reset effect so prefill effects can't match against the previous repo's stale data Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Merge remote-tracking branch 'origin/main' into mcp-ui-apps-advanced * feat: add pull request editing functionality with reviewers support * feat: implement interactive form handling for issue and pull request creation and updates * Close response body per page in ui_get pagination loops Avoids leaking HTTP connections when paging through assignees, milestones, branches, collaborators, and teams. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Cache pr-edit.html in build-ui action The build-ui cache only saved get-me/issue-write/pr-write HTML, so once a cache entry was stored it restored an incomplete ui_dist on later runs and skipped the rebuild, leaving pr-edit.html absent and panicking the tests. Add pr-edit.html to the cached paths and bump the cache key to v2 to evict the incomplete entries. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: tommaso-moro <tommaso-moro@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4e8eb81 - Browse repository at this point
Copy the full SHA 4e8eb81View commit details
Commits on Jun 17, 2026
-
Configuration menu - View commit details
-
Copy full SHA for 667bd3e - Browse repository at this point
Copy the full SHA 667bd3eView commit details -
Add tool for getting code quality findings (#2604)
Co-authored-by: Sam Morrow <info@sam-morrow.com>
Configuration menu - View commit details
-
Copy full SHA for f9a4dc5 - Browse repository at this point
Copy the full SHA f9a4dc5View commit details -
Change confidence enum to use uppercase values to match GraphQL schema (
#2715) * Fix enum values to match those expected by gql * Update test * Update doc and snaps * Normalize lower case confidence values --------- Co-authored-by: Ross Tarrant <rosstarrant@github.com>
Configuration menu - View commit details
-
Copy full SHA for 6830c4d - Browse repository at this point
Copy the full SHA 6830c4dView commit details -
Add repo-scoped support to list_issue_types tool (#2692)
* Add repo-scoped support to list_issue_types tool * Render multi-scope tools as "any of" in generated docs * Clarify issue type field description for repo-scoped list_issue_types
Configuration menu - View commit details
-
Copy full SHA for 4f73cfd - Browse repository at this point
Copy the full SHA 4f73cfdView commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 3422703...4f73cfd
