-
Notifications
You must be signed in to change notification settings - Fork 4.6k
Comparing changes
Open a pull request
base repository: github/github-mcp-server
base: v1.5.0
head repository: github/github-mcp-server
compare: v1.6.0
- 16 commits
- 209 files changed
- 16 contributors
Commits on Jul 1, 2026
-
chore(deps): upgrade go-sdk to v1.7.0-pre.1 (new MCP spec) (#2787)
* chore(deps): upgrade go-sdk to v1.7.0-pre.1 (new MCP spec) Bumps github.com/modelcontextprotocol/go-sdk v1.6.1 -> v1.7.0-pre.1, the pre-release that implements the new stateless MCP spec (SEP-2575 server/discover, SEP-2567 sessionless, MRTR per SEP-2322). The only source-visible change is tool annotation serialization: the new SDK drops `omitempty` on ToolAnnotations.ReadOnlyHint and IdempotentHint, so false values are now emitted explicitly. Regenerated the 113 affected toolsnaps to match. No behavioural changes; build, vet, test and lint all pass. Refs: github/copilot-mcp-core#1709 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: regenerate license files Auto-generated by license-check workflow * ci(mcp-diff): pin to cross-spec-aware mcp-server-diff (3c2d5ea) Pins both the stdio and streamable-http MCP Server Diff jobs to the 3.0 branch of SamMorrowDrums/mcp-server-diff (commit 3c2d5ea), which normalizes cross-spec-version churn: _meta protocol plumbing, CacheableResult cache hints, the initialize envelope, and tool-annotation default hints. Without it the go-sdk v1.6.1 -> v1.7.0-pre.1 bump would surface ~113 spurious idempotentHint/readOnlyHint:false diffs from the SDK dropping omitempty. Temporary commit pin; move to the v3.0.0 tag once it ships. Refs: github/copilot-mcp-core#1709 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(mcp-diff): bump to a2ba618 (stateless server/discover probe) a2ba618 adds the SEP-2575 server/discover stateless probe path, so each server is probed at its own newest supported spec (base v1.6.1 via initialize/2025-11-25, this branch via server/discover/2026-07-28) rather than negotiating both down to the legacy handshake. Produces an honest, signal-only cross-spec diff. Still a temporary commit pin; moves to v3.0.0 once tagged. Refs: github/copilot-mcp-core#1709 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(mcp-diff): use full commit SHA for action pin Actions rejects shortened SHAs ('not supported'); use the full a2ba618c42293fb36e67be88e59c60d5608a302a so the action resolves. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(mcp-diff): track 3.0 HEAD (8fc26d8, becomes v3.0.0) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(inventory): project owner/repo to Mcp-Param-* headers (SEP-2243) Annotates owner/repo tool params with x-mcp-header so the SDK projects them to Mcp-Param-owner/Mcp-Param-repo request headers. A remote proxy can route and filter on owner/repo from headers instead of re-parsing the JSON-RPC body (headers are SDK-validated against the body). No-op for tools without these params; old-protocol traffic unaffected. Refs: github/copilot-mcp-core#1709, #1828 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(inventory): preserve instructions in ForMCPRequest incl. server/discover ForMCPRequest dropped the generated instructions when narrowing the per-request inventory, so HTTP server/discover (and initialize) returned empty instructions even though the full inventory had them. Preserve instructions on the copy and treat server/discover like initialize. Fixes discover<->initialize parity flagged on go-sdk#1034 (root cause was here, not the SDK). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(mcp-diff): pin to mcp-server-diff v3.0.0 Release is out; move both jobs from the 3.0-branch SHA to v3.0.0 (3521651, full SHA since Actions rejects short SHAs). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(github): enforce owner/repo header projection across all tools Export HeaderParams + AnnotateHeaderParams and add a coverage test over the full all-toolsets inventory asserting every owner/repo param projects to its Mcp-Param-* header. Guards the remote proxy's per-request header read so a new tool can never silently ship without it (would fall back to body re-parsing). Adding a future routing param is one entry in inventory.HeaderParams. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(inventory): clone schema before header annotation to avoid shared-map race AnnotateHeaderParams mutated the *jsonschema.Schema (and per-property Extra maps) shared with the original tool definition via the caller's shallow copy. Under per-request registration (remote server), concurrent requests could race on — and fatally panic from — the same Extra map. Now clone only what we touch (schema value, Properties map, annotated property schemas + their Extra maps); the original is never written. Adds a no-mutation test and a 64-goroutine race regression (go test -race clean). Addresses Copilot review on #2787. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 225c47c - Browse repository at this point
Copy the full SHA 225c47cView commit details -
build(deps): bump SamMorrowDrums/mcp-server-diff
Bumps [SamMorrowDrums/mcp-server-diff](https://github.com/sammorrowdrums/mcp-server-diff) from 3521651bb0d3cc267a23df8d94a2a645556980a4 to 40d992e0a220e5b63378758f9a40d6a8982898d2. - [Release notes](https://github.com/sammorrowdrums/mcp-server-diff/releases) - [Commits](SamMorrowDrums/mcp-server-diff@3521651...40d992e) --- updated-dependencies: - dependency-name: SamMorrowDrums/mcp-server-diff dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Configuration menu - View commit details
-
Copy full SHA for 9bdbcaa - Browse repository at this point
Copy the full SHA 9bdbcaaView commit details
Commits on Jul 6, 2026
-
build(deps): bump golang.org/x/net from 0.38.0 to 0.55.0 in the go_mo…
…dules group across 1 directory (#2806) * build(deps): bump golang.org/x/net Bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.38.0 to 0.55.0 - [Commits](golang/net@v0.38.0...v0.55.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.55.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> * chore: regenerate license files Auto-generated by license-check workflow --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a074b94 - Browse repository at this point
Copy the full SHA a074b94View commit details -
build(deps): bump goreleaser/goreleaser-action from 7.2.2 to 7.2.3 (#…
…2796) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 7.2.2 to 7.2.3. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@5daf1e9...f06c13b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Iryna Kulakova <52420926+IrynaKulakova@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e5ad9de - Browse repository at this point
Copy the full SHA e5ad9deView commit details -
Add is_suggestion + rationale to update_issue_assignees (#2821)
* Add is_suggestion + rationale to update_issue_assignees * Align assignee confidence to uppercase LOW/MEDIUM/HIGH; add non-string/object test
Configuration menu - View commit details
-
Copy full SHA for 49abf15 - Browse repository at this point
Copy the full SHA 49abf15View commit details -
Add rationale and confidence to closing an issue (#2802)
* Add rationale and confidence to closing an issue * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix review feedback for update_issue_state validation/docs --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Roberto Nacu <kerobbi@github.com>
Configuration menu - View commit details
-
Copy full SHA for 74c34cd - Browse repository at this point
Copy the full SHA 74c34cdView commit details
Commits on Jul 7, 2026
-
Sanitize and lockdown-gate issue_read get_parent title (#2780)
* Sanitize and lockdown-gate issue_read get_parent title GetIssueParent returned the parent issue title raw and ungated by lockdown mode, so an agent could read an unverified, possibly cross-repo parent title even with lockdown enabled. Always sanitize the parent title and, under lockdown mode, only return the parent when its author has push access to the parent repository, failing closed otherwise. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Prove sanitization in get_parent test; trim comments Embed a U+202E BiDi control char in the mocked parent title so the happy-path assertion fails if Sanitize is removed, and tighten the GetIssueParent comments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Roberto Nacu <kerobbi@github.com>
Configuration menu - View commit details
-
Copy full SHA for 6592847 - Browse repository at this point
Copy the full SHA 6592847View commit details -
Enrich issue_read get with hierarchy relationship signals (#2764)
* Enrich issue_read get with hierarchy relationship signals The default issue_read `get` payload surfaced no hierarchy data, forcing agents to drop to raw REST (parent_issue_url) or scan sibling sub_issues to discover relationships. Enrich `get` with a layered, zero-extra-round-trip relationship signal derived from a single combined GraphQL query: - has_parent / has_children: cheap, always-emitted routing booleans (addresses Sam Morrow's #2726 review note). - parent: compact ref (number/title/state/url/repository) mirroring the existing get_parent payload keys; omitted when there is no parent. - sub_issues_summary: native subIssuesSummary counts (total/completed/ percent_completed); omitted when there are no sub-issues. The single-issue field-values GraphQL call in GetIssue is replaced by one combined query (fetchIssueReadEnrichment) returning field values + parent + subIssuesSummary, so `get` adds no round-trips. Enrichment is best-effort: a query failure still returns the base issue and never fails `get`. Parent titles are sanitized (parent may be cross-repo) and redacted under lockdown mode unless the parent content can be verified as safe; numeric/structural fields and counts stay intact. get_parent / sub_issue_write behavior is unchanged; tool descriptions clarify hierarchy is read here but written via sub_issue_write (no writable parent field). Refs github/planning-tracking#3306 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Tighten hierarchy tool wording Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Omit unverified parent under lockdown instead of redacting title Align issue_read get parent enrichment with the codebase's existing lockdown patterns: rather than introducing a third, redaction-with-sentinel behavior, omit the whole parent reference when its (possibly cross-repo) content cannot be verified safe. This mirrors how unsafe comments, sub-issues, and PR reviews are filtered out. has_parent stays true so an agent can still route to get_parent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Restore explicit issue read query matcher Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Omit hierarchy flags when enrichment fails Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address hierarchy review nits Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Roberto Nacu <kerobbi@github.com>
Configuration menu - View commit details
-
Copy full SHA for b7bc3dc - Browse repository at this point
Copy the full SHA b7bc3dcView commit details -
build(deps): bump docker/build-push-action from 7.2.0 to 7.3.0 (#2828)
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 7.2.0 to 7.3.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@f9f3042...53b7df9) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 7.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Iryna Kulakova <52420926+IrynaKulakova@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 40db5e3 - Browse repository at this point
Copy the full SHA 40db5e3View commit details
Commits on Jul 8, 2026
-
chore(deps): bump go-github v87 → v89 and resolve breaking changes (#…
…2840) * chore(deps): bump go-github v87 -> v89 and resolve breaking changes Bumps google/go-github from v87 to v89 across the module and fixes the resulting breaking changes. No tool or behavior changes. - Rewrite all import paths go-github/v87 -> go-github/v89. - gists.go: Gists.Create now takes CreateGistRequest by value and Gists.Edit is renamed to Gists.Update taking UpdateGistRequest. - repositories_test.go: adapt to RepositoryRelease fields that became value types in v89 (ID, TagName, Draft). - Regenerate third-party license files for the new module path. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Don't clear gist description on update when omitted update_gist always sent Description as a pointer to the OptionalParam zero value (""), so omitting description would overwrite an existing gist description with an empty string. Only set UpdateGistRequest.Description when the caller actually provided the argument; an explicit empty string still clears it. Adds a test asserting the description key is absent from the PATCH body when omitted and present when set. This addresses a pre-existing behavior surfaced while migrating to the v89 gist request types. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 778f5bb - Browse repository at this point
Copy the full SHA 778f5bbView commit details
Commits on Jul 9, 2026
-
Reimplement issue dependencies on go-github v89 REST API (#2839)
* Reimplement issue dependencies on go-github v89 REST API Issue dependencies (blocked_by / blocking) were implemented on GraphQL via githubv4. Because the pinned githubv4 library predates the dependency mutations, the code hand-declared AddBlockedByInput / RemoveBlockedByInput and resolved issue numbers to node IDs with a custom aliased query. go-github v89 adds first-class REST methods (ListBlockedBy, ListBlocking, AddBlockedBy, RemoveBlockedBy), so switch issue_dependency_read and issue_dependency_write to those. This removes the workaround, aligns the tools with the rest of the REST-based issue tooling, and simplifies tests. - Rewrite issue_dependencies.go on REST: page-based pagination for reads, and a single Issues.Get to resolve the blocking issue's database ID for writes. Preserve the tool surface, self-dependency guard and cross-repo support. - Rewrite the issue dependency tests on the REST mock helpers. - Regenerate the read toolsnap (cursor -> page pagination) and docs. Refs #950 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Normalize issue dependency ref state to match other tools The REST issue-dependency endpoints return lower-case issue states (open/closed), whereas the previous GraphQL implementation and the sibling get_parent tool populate MinimalIssueRef.State from the GraphQL IssueState enum (OPEN/CLOSED). Upper-case the state in issueToDependencyRef so the field stays consistent across every tool that emits a MinimalIssueRef, and guard against a nil issue while here. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6787f08 - Browse repository at this point
Copy the full SHA 6787f08View commit details
Commits on Jul 10, 2026
-
Add README community resource links (#2848)
Co-authored-by: Codex <codex@openai.com>
Configuration menu - View commit details
-
Copy full SHA for a718d37 - Browse repository at this point
Copy the full SHA a718d37View commit details -
Add fields param to search_code and get_file_contents (#2775)
* Add fields param to search_code and get_file_contents Add an optional `fields` array parameter to the `search_code` and `get_file_contents` tools so callers can request only the fields they need, reducing tool response size and context usage. - search_code: filters each result item to the selected fields while preserving the total_count / incomplete_results wrapper. - get_file_contents: filters each directory entry when listing a directory; ignored for single-file responses. Adds shared filterFields / filterEachField helpers and per-tool field enums, plus unit tests and regenerated toolsnaps and docs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Gate fields param behind fields_param flag and add usage telemetry Register search_code and get_file_contents as two mutually exclusive variants gated by the new `fields_param` feature flag, following the existing dual-variant flag pattern: - The flag-enabled variant advertises the optional `fields` parameter and filters each result to the requested subset. It owns the `<tool>_ff_fields_param` toolsnap. - The Legacy* variant exposes the original schema with no `fields` parameter and never filters, acting as a kill switch when the flag is off. It owns the canonical toolsnap. Add best-effort, low-cardinality telemetry at each tool's filter point to measure adoption and realized savings: - `mcp.fields.tool_call` (increment) tagged by tool and whether the response was filtered. - `mcp.fields.bytes_full` / `bytes_sent` / `bytes_saved` (counters) tagged by tool, emitted only when a response was filtered. Tags are limited to `tool` and `filtered` to bound cardinality; repo, owner, user, query, and the requested field list are never tagged. The local server discards these via the noop metrics sink, while hosted deployments inject a real sink. Metrics accessors now fall back to a noop sink when no exporter is configured so emitting telemetry never panics. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Drop mcp.fields.bytes_saved metric Remove the mcp.fields.bytes_saved counter. It is derivable on the dashboard from the two remaining byte counters, since sum(bytes_full) - sum(bytes_sent) equals the total saved at any rollup, so emitting it separately is redundant. Keeping only bytes_full and bytes_sent shrinks the emitted telemetry surface. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3b8ff50 - Browse repository at this point
Copy the full SHA 3b8ff50View commit details -
Add fields param to six more list/search tools (#2810)
* Add fields param to six more list/search tools Extend the optional `fields` response-filtering parameter (gated behind the `fields_param` feature flag, with adoption/savings telemetry) to six more read tools, following the dual-variant pattern already used by search_code and get_file_contents: - list_issues, list_pull_requests, list_commits, list_releases - search_issues, search_pull_requests For each tool, `X` is the flag-enabled variant that advertises `fields` and filters each result item to the requested subset, while `LegacyX` exposes the original schema and never filters, acting as a kill switch when the flag is off. Exactly one variant survives inventory filtering for any flag state via mutually exclusive FeatureFlagEnable / FeatureFlagDisable annotations. Wrapped responses (list_issues, search_issues, search_pull_requests) preserve their count / pagination envelope and only filter the item list; bare-array responses keep their array shape. Filtering reuses the shared filterEachField helper. A new fieldsSchemaProperty helper builds the `fields` schema (search_code and get_file_contents now use it too), and a shared recordFieldsUsageFor helper centralizes the telemetry full-size computation. Each field enum lists only the JSON fields the specific tool actually emits: list_commits omits stats/files (requested without per-file detail) and list_issues lists only the fields its GraphQL fragment populates. Adds per-tool field-filtering, telemetry, and Legacy definition tests, extends the mutual-exclusivity gating test to all eight gated tools, and regenerates the `_ff_fields_param` toolsnaps and feature-flag docs. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Remove duplicate tool doc comments Address review: drop the leftover one-line doc comment above each dual-variant tool constructor (list_issues, list_pull_requests, list_commits, list_releases, search_issues, search_pull_requests); the detailed variant comment remains. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 439ec71 - Browse repository at this point
Copy the full SHA 439ec71View commit details -
MCP: name-based resolution for Projects fields (#2760)
* Let agents address Project fields, single-select options, and item field values by name through the GitHub MCP server * Adding a method to resolve params resolveItemIDFromIssueArgs * Adding the DatabaseID to be able to match the graphQL * Changing the parsing to strconv.ParseInt * Changing description. * update readme * Fixing copilot comments * Adding Case-insensitive matching and fields + field_names guard * running snaps and readme
Configuration menu - View commit details
-
Copy full SHA for c36e4e4 - Browse repository at this point
Copy the full SHA c36e4e4View commit details
Commits on Jul 15, 2026
-
Enable fields param in Insiders mode
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7629b6e - Browse repository at this point
Copy the full SHA 7629b6eView commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.5.0...v1.6.0