Add GitHub Actions MCP server for viewing workflow results (#231)

* actions server * tmp * Replace view_actions_results with additional_permissions input - Changed input from boolean view_actions_results to a more flexible additional_permissions format - Uses newline-separated colon format similar to claude_env (e.g., "actions: read") - Maintains permission checking to warn users when their token lacks required permissions - Updated all tests to use the new format This allows for future extensibility while currently supporting only "actions: read" permission. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update GitHub Actions MCP server with RUNNER_TEMP and status filtering - Use RUNNER_TEMP environment variable for log storage directory (defaults to /tmp) - Add status parameter to get_ci_status tool to filter workflow runs - Supported statuses: completed, action_required, cancelled, failure, neutral, skipped, stale, success, timed_out, in_progress, queued, requested, waiting, pending - Pass RUNNER_TEMP from install-mcp-server.ts to the MCP server environment 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add GitHub Actions MCP tools to allowed tools when actions:read is granted - Automatically include github_ci MCP server tools in allowed tools list when actions:read permission is granted - Added mcp__github_ci__get_ci_status, mcp__github_ci__get_workflow_run_details, mcp__github_ci__download_job_log - Simplified permission checking to avoid duplicate parsing logic - Added tests for the new functionality This ensures Claude can use the Actions tools when the server is enabled. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Refactor additional permissions parsing to parseGitHubContext - Moved additional permissions parsing from individual functions to centralized parseGitHubContext - Added parseAdditionalPermissions function to handle newline-separated colon format - Removed redundant additionalPermissions parameter from prepareMcpConfig - Updated tests to use permissions from context instead of passing as parameter - Added comprehensive tests for parseAdditionalPermissions function This centralizes all input parsing logic in one place for better maintainability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove unnecessary hasActionsReadPermission parameter from createPrompt - Removed hasActionsReadPermission parameter since createPrompt has access to context - Calculate hasActionsReadPermission directly from context.inputs.additionalPermissions inside createPrompt - Simplified prepare.ts by removing intermediate permission check This completes the refactoring to centralize all permission handling through the context object. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: Add documentation for additional_permissions feature - Document the new additional_permissions input that replaces view_actions_results - Add dedicated section explaining CI/CD integration with actions:read permission - Include example workflow showing how to grant GitHub token permissions - Update main workflow example to show optional additional_permissions usage 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * roadmap --------- Co-authored-by: Claude <noreply@anthropic.com>
2026-01-22 22:44:13 +08:00 · 2025-07-03 18:58:02 -07:00
parent 3c739a8cf3
commit 23fae74fdb
14 changed files with 772 additions and 26 deletions
--- a/src/mcp/install-mcp-server.ts
+++ b/src/mcp/install-mcp-server.ts
@@ -1,5 +1,7 @@
 import * as core from "@actions/core";
 import { GITHUB_API_URL } from "../github/api/config";
+import type { ParsedGitHubContext } from "../github/context";
+import { Octokit } from "@octokit/rest";

 type PrepareConfigParams = {
  githubToken: string;
@@ -9,8 +11,41 @@ type PrepareConfigParams = {
  additionalMcpConfig?: string;
  claudeCommentId?: string;
  allowedTools: string[];
+  context: ParsedGitHubContext;
 };

+async function checkActionsReadPermission(
+  token: string,
+  owner: string,
+  repo: string,
+): Promise<boolean> {
+  try {
+    const client = new Octokit({ auth: token });
+
+    // Try to list workflow runs - this requires actions:read
+    // We use per_page=1 to minimize the response size
+    await client.actions.listWorkflowRunsForRepo({
+      owner,
+      repo,
+      per_page: 1,
+    });
+
+    return true;
+  } catch (error: any) {
+    // Check if it's a permission error
+    if (
+      error.status === 403 &&
+      error.message?.includes("Resource not accessible")
+    ) {
+      return false;
+    }
+
+    // For other errors (network issues, etc), log but don't fail
+    core.debug(`Failed to check actions permission: ${error.message}`);
+    return false;
+  }
+}
+
 export async function prepareMcpConfig(
  params: PrepareConfigParams,
 ): Promise<string> {
@@ -22,6 +57,7 @@ export async function prepareMcpConfig(
    additionalMcpConfig,
    claudeCommentId,
    allowedTools,
+    context,
  } = params;
  try {
    const allowedToolsList = allowedTools || [];
@@ -53,6 +89,42 @@ export async function prepareMcpConfig(
      },
    };

+    // Only add CI server if we have actions:read permission and we're in a PR context
+    const hasActionsReadPermission =
+      context.inputs.additionalPermissions.get("actions") === "read";
+
+    if (context.isPR && hasActionsReadPermission) {
+      // Verify the token actually has actions:read permission
+      const actuallyHasPermission = await checkActionsReadPermission(
+        process.env.ACTIONS_TOKEN || "",
+        owner,
+        repo,
+      );
+
+      if (!actuallyHasPermission) {
+        core.warning(
+          "The github_ci MCP server requires 'actions: read' permission. " +
+            "Please ensure your GitHub token has this permission. " +
+            "See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token",
+        );
+      }
+      baseMcpConfig.mcpServers.github_ci = {
+        command: "bun",
+        args: [
+          "run",
+          `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-actions-server.ts`,
+        ],
+        env: {
+          // Use workflow github token, not app token
+          GITHUB_TOKEN: process.env.ACTIONS_TOKEN,
+          REPO_OWNER: owner,
+          REPO_NAME: repo,
+          PR_NUMBER: context.entityNumber.toString(),
+          RUNNER_TEMP: process.env.RUNNER_TEMP || "/tmp",
+        },
+      };
+    }
+
    if (hasGitHubMcpTools) {
      baseMcpConfig.mcpServers.github = {
        command: "docker",