Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Add lockdown mode to filter issue#1371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
JoannaaKL merged 9 commits intomainfromlockdown-mode
Nov 10, 2025
Merged

Add lockdown mode to filter issue#1371

JoannaaKL merged 9 commits intomainfromlockdown-mode
Nov 10, 2025

Conversation

@JoannaaKL
Copy link
Contributor

@JoannaaKLJoannaaKL commentedNov 7, 2025
edited
Loading

This pull request introduces a special operating mode for the GitHub MCP server that if enabled will only return content from users with push access to the repository.

Lockdown mode is disabled by default and can be enabled through a console flaglockdown-mode.
This pr only adds lockdown mode toGetIssue function, it will be applied to remaining tools in follow up pull requests.

If lockdown is enabled and user requests an issue that was added by user without push access it will return an error:
CleanShot 2025-11-07 at 13 39 15@2x

To enable use a flagrun ./cmd/github-mcp-server stdio --lockdown-mode=true
Based on#428

CopilotAI review requested due to automatic review settingsNovember 7, 2025 10:12
@JoannaaKLJoannaaKL requested a review froma team as acode ownerNovember 7, 2025 10:12
Copy link
Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR introduces a lockdown mode feature for the GitHub MCP Server that restricts access to issue details based on repository visibility and user permissions. When enabled, the feature allows access only to users with push access on public repositories, while private repositories remain unrestricted.

Key Changes

  • Added a newlockdown package with functions to check repository privacy and user permissions via GitHub GraphQL API
  • Integrated lockdown checks into theIssueRead tool'sGetIssue method
  • AddedFeatureFlags struct and CLI flag to enable/disable lockdown mode

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.

Show a summary per file
FileDescription
pkg/lockdown/lockdown.goNew package implementing lockdown logic with GraphQL-based permission checks
pkg/github/feature_flags.goNew feature flags struct to control lockdown behavior
pkg/github/issues.goIntegration of lockdown checks in GetIssue function
pkg/github/issues_test.goTest cases for lockdown mode scenarios (private repo and insufficient permissions)
pkg/github/tools.goUpdated DefaultToolsetGroup to accept and pass feature flags
internal/ghmcp/server.goWired lockdown configuration through server setup
cmd/github-mcp-server/main.goAdded CLI flag for lockdown mode
cmd/github-mcp-server/generate_docs.goUpdated docs generation to pass empty feature flags

💡Add Copilot custom instructions for smarter, more guided reviews.Learn how to get started.

Comment on lines 58 to 71
// Check if the user has push access
hasPush:=false
for_,edge:=rangequery.Repository.Collaborators.Edges {
login:=string(edge.Node.Login)
ifstrings.EqualFold(login,username) {
permission:=string(edge.Permission)
// WRITE, ADMIN, and MAINTAIN permissions have push access
hasPush=permission=="WRITE"||permission=="ADMIN"||permission=="MAINTAIN"
break
}
}

returnhasPush,nil
}
Copy link

CopilotAINov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

When the GraphQL query returns no collaborators (emptyEdges array), the function returnsfalse without distinguishing between "user not found" and "user has no push access". This could happen if the user is not a collaborator or if the repository query parameter doesn't match. Consider adding logging or a more specific error message to help diagnose why a user was denied access in lockdown mode.

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@mattdhollowaymattdholloway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

lgtm! 🚀

JoannaaKL reacted with heart emoji
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

Copilot code reviewCopilotCopilot left review comments

@mattdhollowaymattdhollowaymattdholloway approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JoannaaKL@mattdholloway
[8]ページ先頭
©2009-2025 Movatter.jp