Skip to content

Add unit tests for OIDC env var forwarding to MCP gateway docker command#25785

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-oidc-env-vars-forwarding-again
Apr 11, 2026
Merged

Add unit tests for OIDC env var forwarding to MCP gateway docker command#25785
pelikhan merged 2 commits intomainfrom
copilot/fix-oidc-env-vars-forwarding-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 11, 2026
edited
Loading

The compiler-side fix for forwarding ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN to the MCP gateway container is already on main (mcp_setup_generator.go lines 740–747, hasGitHubOIDCAuthInTools() in mcp_environment.go, dedup entries at lines 797–800). However, the only tests exercising the actual docker command output are behind the integration build tag.

  • Added unit tests in mcp_environment_test.go that call generateMCPSetup directly:
    • TestOIDCEnvVarsInDockerCommand — verifies -e ACTIONS_ID_TOKEN_REQUEST_URL and -e ACTIONS_ID_TOKEN_REQUEST_TOKEN appear when auth.type: "github-oidc" is configured
    • TestOIDCEnvVarsNotInDockerCommandWithoutOIDCAuth — verifies neither flag appears for HTTP servers using only header-based auth

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 9055867/b216/_pkgit ahb4/lZep-2Miwczrev-parse 9055867/b216=> git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE de GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --git-dir x_amd64/link /usr/bin/git successfully" GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git ned-imports-enabgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_InlinedImports1739600922/001/inlined-a.md go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 95/001/test-complex-frontmatter-with-tools.md 5Hh4AuvTv x_amd64/compile GOINSECURE %H %ct %D (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git ut388105450/001 GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json APhUuwu-5 Name,createdAt,s--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-goversion /usr/bin/git 7 pkg/mod/golang.orev-parse .lock.yml git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/typeutil/converev-parse /usr/bin/git runs/20260411-11git -trimpath /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha add resolved$ /usr/bin/git ub/workflows GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha add other /usr/bin/git repo464315160/00git GO111MODULE x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/xrepos/{owner}/{repo}/actions/runs/5/artifacts /usr/bin/infocmp 98zpKLImZ pkg/mod/go.yaml.rev-parse /opt/hostedtoolc--show-toplevel infocmp (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git TgduJ5Wp9 GO111MODULE ache/go/1.25.8/xe67d1c0bb519a71226a3d1030ff026ab79bc4343..HEAD git rev-�� --show-toplevel ache/go/1.25.8/x12345 /usr/bin/git 8502/001/stabiligit om/modelcontextprev-parse .cfg git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2499055867/b253/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json d.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env sm-opt -Oz (size-s GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git -json GO111MODULE nch,headSha,disp--show-toplevel git rev-�� --show-toplevel x_amd64/compile /usr/bin/git /workflows GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha remove origin /usr/bin/git ub/workflows GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/lib/git-core/git -errorsas -ifaceassert -nilfunc /usr/lib/git-core/git rev-�� :latest --stdin /usr/bin/git --exclude-hiddengit --all --quiet git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 9055867/b108/_pkg_.a rg/x/text@v0.35.0/message/catalog.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -w 9055867/b236/_pkg_.a 4ACQ/f02Eva1ttQPQuPWq4ACQ e/git-upload-pack OUTPUT osh-tekuri/jsonsrev-parse 168.63.129.16 0TVbZDc/ASkd1YfJyjOOm_4W2aWG (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 9055867/b180/_pkg_.a pRaw/gwkwek_UF5vdtNyzpRaw ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE fips140/ecdsa GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User inst�� 9055867/b107/importcfg flge/CEDVAjFSK2LRG6vPflge 64/pkg/tool/linux_amd64/link GOSUMDB GOWORK 64/bin/go 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 9055867/b252/_pkg_.a GO111MODULE 9055867/b252=> GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-test.v=true 9055�� itattributes-test978105861/.github/workflows ache/go/1.25.8/x64/src/os/dir.go 64/pkg/tool/linux_amd64/vet -p internal/goexperrev-parse -lang=go1.25 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/gh-aw-test-runs/20260411-111618-32334/test-2042798733 resolved$ /usr/bin/git @{u} GO111MODULE x_amd64/link git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /tmp/go-build2797956258/b397/cli.test -importcfg /usr/lib/git-core/git-receive-pack -s -w -buildmode=exe git-receive-pack /tmp�� testing.testBinary=1 -extld=gcc /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 7956258/b431/_pkg_.a -buildtags ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -errorsas b/gh-aw/pkg/slicrev-parse -nilfunc ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile push�� 7956258/b449/_pkg_.a my-default 7956258/b449=> -json (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name verutil.go 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build2797956258/b444/_testmain.go env 205432827 DfcRFzBGz x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/mcp GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name LsRemoteWithRealGitcustom_branch4187696509/001' ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� ut834929118/001 GO111MODULE 64/pkg/tool/linux_amd64/cgo GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/cgo (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ithub/workflows xpQFH7LFx /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 rotocol/go-sdk@v1.5.0/jsonrpc/jsonrpc.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a dq87ptaK6 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE ndor/bin/sh GOINSECURE GOMOD GOMODCACHE go env y_with_explicit_repo4129246533/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env ithub/workflows 5-yTJqrnP /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 emplate/v3@v3.0.2/compile.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7D8RXanEmFBss env g_.a LamLkoYmy 64/pkg/tool/linux_amd64/vet GOINSECURE go-sdk/jsonrpc GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name itcustom_branch4187696509/002/work ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 79/001/test-inlined-imports-enabled-with-env-template-expressions-in-body.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name /semver/semver.g-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE .o 64/src/internal/--show-toplevel 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 205432827 bbyq8rTOi ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE erutil GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 5.0/internal/doc.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 2227816211 bBouUBHdz ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go tion�� ut834929118/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name l.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 205432827 34i--fWCy ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE tants 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env 2227816211/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/file-tracker-test2704707956/test2.lock.yml (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go tion�� ut834929118/001 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name ZW5eqtFbR 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE til GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 dyvKs137W 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2227816211/.github/workflows Bzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name itbranch_with_hyphen1708200267/002/work tions/setup/js/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� 6665/001/stability-test.md GO111MODULE n-dir/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE age/compact GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 5.0/deviceauth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a tVIFB3NxN ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE go-sdk/oauthex GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen1708200267/001' tions/setup/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 481440287/001' 481440287/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote2 env edOutput3143868923/001 GO111MODULE ntdrain.test GOINSECURE GOMOD abis ntdrain.test (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git ortcfg Kt0zQSK0W ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git ortcfg GO111MODULE ache/go/1.25.8/xgit-upload-pack 'origin' git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput3143868923/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/vet env aw/actions-lock.json ]; then \ cp .github/aw/actions-lock.json -p CLJOlIPxV ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha e_wasm.s GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE iE8t3kR/-pSRkXIpremote (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env lGitmain_branch2--repo lGitmain_branch2owner/repo sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha edOutput3143868923/001 GO111MODULE ntdrain.test GOINSECURE GOMOD abis ntdrain.test 7979�� stall-gh-aw.sh to actions/setup-cli/install.sh..-c=4 qrk06zUvD x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE cii GOMODCACHE 64/pkg/tool/linux_amd64/vet env DIATz0CEW GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env .js' --ignore-path .prettierignore GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build2797956258/b412/importcfg -pack /tmp/go-build2797956258/b412/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /sh GOINSECURE GOMOD GOMODCACHE go env h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2797956258/b397/cli.test /tmp/go-build2797956258/b397/cli.test -test.testlogfile=/tmp/go-build2797956258/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build2499055867/b207/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /tmp/go-build3424900449/b397/cli.test /tmp/go-build3424900449/b397/cli.test -test.testlogfile=/tmp/go-build3424900449/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ../../../.prettish git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json th_meta.go 64/bin/go GOINSECURE GOMOD y.s go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 11, 2026 that may be closed by this pull request
Compiler does not forward OIDC env vars to MCP Gateway docker run command #25646
Closed
Copilot AI changed the title [WIP] Fix compiler to forward OIDC env vars to MCP Gateway Add unit tests for OIDC env var forwarding to MCP gateway docker command Apr 11, 2026
Copilot AI requested a review from pelikhan April 11, 2026 11:36
@github-actions github-actions bot mentioned this pull request Apr 11, 2026
Open
@pelikhan pelikhan marked this pull request as ready for review April 11, 2026 13:44
Copilot AI review requested due to automatic review settings April 11, 2026 13:44
@pelikhan pelikhan merged commit c4a5a3a into main Apr 11, 2026
54 checks passed
@pelikhan pelikhan deleted the copilot/fix-oidc-env-vars-forwarding-again branch April 11, 2026 13:44
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds non-integration unit coverage to ensure GitHub Actions OIDC environment variables are forwarded into the MCP gateway container’s docker run command when auth.type: github-oidc is configured.

Changes:

  • Add a unit test asserting -e ACTIONS_ID_TOKEN_REQUEST_URL and -e ACTIONS_ID_TOKEN_REQUEST_TOKEN appear in generated MCP gateway docker command output when an HTTP MCP server uses github-oidc auth.
  • Add a unit test asserting those -e ... flags are absent when no tool uses github-oidc auth.
Show a summary per file
File Description
pkg/workflow/mcp_environment_test.go Adds unit tests that call generateMCPSetup and validate OIDC env var forwarding behavior in the generated docker command.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@github-actions github-actions bot mentioned this pull request Apr 11, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 11, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

Excellent test quality

Metric Value
New/modified tests analyzed 3 (+ 7 table-driven sub-cases)
✅ Design tests (behavioral contracts) 3 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 3 (100%)
Duplicate test clusters 0
Test inflation detected No1
🚨 Coding-guideline violations None

Test Classification Details

Test File Classification Issues Detected
TestHasGitHubOIDCAuthInTools pkg/workflow/mcp_environment_test.go ✅ Design None — 7 table-driven cases covering empty, non-OIDC, OIDC, mixed, and stdio scenarios
TestOIDCEnvVarsInDockerCommand pkg/workflow/mcp_environment_test.go ✅ Design None — asserts OIDC env vars appear in docker command output when auth is configured
TestOIDCEnvVarsNotInDockerCommandWithoutOIDCAuth pkg/workflow/mcp_environment_test.go ✅ Design None — negative assertion verifies OIDC env vars are absent when not needed

Flagged Tests — Requires Review

No tests flagged. All new tests enforce clear behavioral contracts.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 3 Test functions — unit (//go:build !integration)
  • 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). All three tests verify observable, user-facing behavior: the return value of hasGitHubOIDCAuthInTools across seven distinct input shapes, and the presence/absence of OIDC env var flags in the generated docker command string. Assertion messages are descriptive, build tag is present, no mock libraries used, and both positive and negative cases are covered.

1 The corresponding production file (mcp_environment.go) had no lines added in this PR — tests were added retroactively for existing code. This is not test inflation; the 2:1 ratio check is not applicable.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 462.5K ·

github-actions[bot]
github-actions bot approved these changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All three tests enforce clear behavioral contracts with edge cases covered and no coding-guideline violations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Compiler does not forward OIDC env vars to MCP Gateway docker run command

3 participants

@pelikhan