4b6817381b
Benchmark image — build + push to ECR (any adapter) / build + push (push) Waiting to run
CI / quality (ubuntu-latest) (push) Waiting to run
CI / test (tools-runtime) (push) Waiting to run
CI / test (e2e-general) (push) Waiting to run
CI / test (cli-runtime) (push) Waiting to run
CI / test (e2e-provider-and-openclaw) (push) Waiting to run
CI / test (integrations-and-misc) (push) Waiting to run
CI / coverage-report (push) Blocked by required conditions
CI / test-kubernetes (push) Waiting to run
CI / should-run-thorough (push) Waiting to run
CI / test-thorough (cloudwatch-demo) (push) Blocked by required conditions
CI / test-thorough (flink-ecs) (push) Blocked by required conditions
CI / test-thorough (upstream-lambda) (push) Blocked by required conditions
CI / test-thorough (prefect-ecs-fargate) (push) Blocked by required conditions
CodeQL / Analyze (python) (push) Waiting to run
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Blocked by required conditions
Release / publish-release (push) Blocked by required conditions
Release / publish-main-release (push) Blocked by required conditions
Release / prepare (push) Waiting to run
Release / verify (push) Blocked by required conditions
Release / build-python-dist (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Blocked by required conditions
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Waiting to run
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
136 lines
4.8 KiB
Plaintext
136 lines
4.8 KiB
Plaintext
---
|
|
title: "GitHub"
|
|
description: "Connect GitHub so OpenSRE can correlate recent commits and code changes with incidents"
|
|
---
|
|
|
|
OpenSRE connects to GitHub via the GitHub MCP server to search code, browse recent commits, inspect files, and trace changes correlated with alerts — helping identify which deployment or code change triggered an incident.
|
|
|
|
## First launch (macOS & Windows)
|
|
|
|
The first time you launch the interactive shell on macOS or Windows, OpenSRE asks
|
|
you to sign in to GitHub in your browser before the prompt appears. This runs the
|
|
same browser device-flow sign-in as Option 1 below, then connects GitHub
|
|
automatically. Sign in once and OpenSRE remembers it for future launches.
|
|
|
|
You can bypass this step — for example if GitHub sign-in is unavailable:
|
|
|
|
```bash
|
|
OPENSRE_SKIP_GITHUB_LOGIN=1 opensre
|
|
```
|
|
|
|
The first-launch prompt never runs on Linux or in CI/automation, and is skipped
|
|
when GitHub is already configured.
|
|
|
|
## Prerequisites
|
|
|
|
- GitHub account with repository access
|
|
- One of: browser sign-in (recommended), a personal access token, or GitHub Copilot MCP access
|
|
|
|
## Setup
|
|
|
|
### Option 1: Interactive CLI (browser sign-in)
|
|
|
|
```bash
|
|
opensre integrations setup
|
|
```
|
|
|
|
Select **GitHub** when prompted, then choose **Authorize in browser**. OpenSRE
|
|
opens GitHub's device authorization page and prints a one-time code — approve it
|
|
in your browser and the token is captured automatically. No personal access
|
|
token is required.
|
|
|
|
This uses GitHub's OAuth device flow, which has no client secret. The public
|
|
OAuth App client id ships with OpenSRE; override it with
|
|
`OPENSRE_GITHUB_OAUTH_CLIENT_ID` if you register your own app.
|
|
|
|
If you prefer, the same prompt lets you **paste a token (PAT)** instead.
|
|
|
|
### Option 2: Environment variables
|
|
|
|
```bash
|
|
GITHUB_MCP_AUTH_TOKEN=ghp_your_personal_access_token
|
|
GITHUB_MCP_URL=https://api.githubcopilot.com/mcp/ # default
|
|
GITHUB_MCP_MODE=streamable-http # default
|
|
GITHUB_MCP_TOOLSETS=repos,issues,pull_requests,actions # default
|
|
```
|
|
|
|
| Variable | Default | Description |
|
|
| --- | --- | --- |
|
|
| `GITHUB_MCP_AUTH_TOKEN` | — | GitHub personal access token. Required unless you authorize in the browser (Option 1) |
|
|
| `GITHUB_MCP_URL` | `https://api.githubcopilot.com/mcp/` | GitHub MCP server URL |
|
|
| `GITHUB_MCP_MODE` | `streamable-http` | Transport mode: `streamable-http`, `sse`, or `stdio` |
|
|
| `GITHUB_MCP_TOOLSETS` | `repos,issues,pull_requests,actions` | Comma-separated toolsets to enable |
|
|
| `GITHUB_MCP_COMMAND` | — | Command to run (required for `stdio` mode only) |
|
|
| `GITHUB_MCP_ARGS` | — | Space-separated args for `stdio` mode |
|
|
| `OPENSRE_GITHUB_OAUTH_CLIENT_ID` | _(built-in)_ | OAuth App client id for browser sign-in (device flow). Override to use your own app |
|
|
|
|
### Option 3: Persistent store
|
|
|
|
```json
|
|
{
|
|
"version": 1,
|
|
"integrations": [
|
|
{
|
|
"id": "github-prod",
|
|
"service": "github",
|
|
"status": "active",
|
|
"credentials": {
|
|
"url": "https://api.githubcopilot.com/mcp/",
|
|
"mode": "streamable-http",
|
|
"auth_token": "ghp_your_token",
|
|
"toolsets": ["repos", "issues", "pull_requests", "actions"]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
## Creating a personal access token
|
|
|
|
1. In GitHub, go to **Settings** → **Developer settings** → **Personal access tokens** → **Tokens (classic)**
|
|
2. Click **Generate new token**
|
|
3. Select the following scopes: `repo`, `read:org`
|
|
4. Copy the token
|
|
|
|
<Info>
|
|
For GitHub Enterprise Server, set `GITHUB_MCP_URL` to your enterprise MCP endpoint.
|
|
</Info>
|
|
|
|
## Transport modes
|
|
|
|
| Mode | When to use |
|
|
| --- | --- |
|
|
| `streamable-http` | Default. Works with GitHub Copilot MCP and most hosted instances |
|
|
| `sse` | For older MCP servers using Server-Sent Events |
|
|
| `stdio` | For running a local MCP server process (`npx @modelcontextprotocol/server-github`) |
|
|
|
|
## Verify
|
|
|
|
```bash
|
|
opensre integrations verify github
|
|
```
|
|
|
|
Expected output:
|
|
|
|
```
|
|
Service: github
|
|
Status: passed
|
|
Detail: GitHub MCP validated for your-username; discovered 18 tools including repository source investigation helpers
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
| Symptom | Fix |
|
|
| --- | --- |
|
|
| **Authentication failed** | Check that the token has `repo` scope and is not expired |
|
|
| **Required tools missing** | Ensure toolsets include `repos` — it provides `get_file_contents`, `list_commits`, etc. |
|
|
| **Connection refused** | Verify `GITHUB_MCP_URL` is reachable and the MCP server is running |
|
|
| **Browser sign-in unavailable** | Set `OPENSRE_GITHUB_OAUTH_CLIENT_ID` to a device-flow-enabled OAuth App, or fall back to pasting a PAT |
|
|
| **First-launch sign-in is blocking me** | Set `OPENSRE_SKIP_GITHUB_LOGIN=1` to bypass the first-launch GitHub prompt |
|
|
|
|
## Security best practices
|
|
|
|
- Use a **fine-grained personal access token** with read-only repository access.
|
|
- Limit token scope to the repositories OpenSRE needs to inspect.
|
|
- Store the token in `.env`, not in source code.
|