AI Agent Skill HUB

http_mcp_headers

HTTP MCP Header Secret Support - Implementation Summary

4,265 stars
bygithub
View on GitHubInstallation ↓

Best use case

http_mcp_headers is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

HTTP MCP Header Secret Support - Implementation Summary

Teams using http_mcp_headers should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/http-mcp-headers/SKILL.md --create-dirs "https://raw.githubusercontent.com/github/gh-aw/main/skills/http-mcp-headers/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/http-mcp-headers/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How http_mcp_headers Compares

Feature / Agenthttp_mcp_headersStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

HTTP MCP Header Secret Support - Implementation Summary

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for ChatGPT

Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.

AI Agents for Marketing

Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.

AI Agents for Startups

Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.

SKILL.md Source

# HTTP MCP Header Secret Support - Implementation Summary

This document demonstrates the complete implementation of HTTP MCP header secret support for the copilot engine.

## Problem Statement

When using HTTP MCP tools with headers containing GitHub Actions secrets, the generated mcp-config.json needs to:

1. Extract secrets from headers (e.g., `${{ secrets.DD_API_KEY }}`)
2. Declare those env variables in the execution step
3. Configure the MCP config's "env" section to passthrough those variables
4. Use the passed variables in the headers section

## Example Workflow

```markdown
on:
  workflow_dispatch:
permissions:
  contents: read
engine: copilot
mcp-servers:
  datadog:
    type: http
    url: "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp"
    headers:
      DD_API_KEY: "${{ secrets.DD_API_KEY }}"
      DD_APPLICATION_KEY: "${{ secrets.DD_APPLICATION_KEY }}"
      DD_SITE: "${{ secrets.DD_SITE || 'datadoghq.com' }}"
    allowed:
      - search_datadog_dashboards
      - search_datadog_slos
      - search_datadog_metrics
      - get_datadog_metric

# Datadog Dashboard Search

Search for Datadog dashboards and provide a summary.
```

## Generated Output

### 1. MCP Config (mcp-config.json)

```json
{
  "mcpServers": {
    "datadog": {
      "type": "http",
      "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp",
      "headers": {
        "DD_API_KEY": "${DD_API_KEY}",
        "DD_APPLICATION_KEY": "${DD_APPLICATION_KEY}",
        "DD_SITE": "${DD_SITE}"
      },
      "tools": [
        "search_datadog_dashboards",
        "search_datadog_slos",
        "search_datadog_metrics",
        "get_datadog_metric"
      ],
      "env": {
        "DD_API_KEY": "\\${DD_API_KEY}",
        "DD_APPLICATION_KEY": "\\${DD_APPLICATION_KEY}",
        "DD_SITE": "\\${DD_SITE}"
      }
    }
  }
}
```

### 2. Execution Step Environment Variables

```yaml
env:
  DD_API_KEY: ${{ secrets.DD_API_KEY }}
  DD_APPLICATION_KEY: ${{ secrets.DD_APPLICATION_KEY }}
  DD_SITE: ${{ secrets.DD_SITE || 'datadoghq.com' }}
  GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  # ... other env vars
```

## Implementation Details

### Key Functions

1. **extractSecretsFromValue(value string)** - Extracts secret expressions from a string
   - Parses `${{ secrets.VAR_NAME }}` patterns
   - Handles default values: `${{ secrets.VAR || 'default' }}`
   - Returns map of variable names to full expressions

2. **extractSecretsFromHeaders(headers map[string]string)** - Extracts all secrets from HTTP headers
   - Iterates through all header values
   - Collects all unique secret expressions
   - Returns consolidated map of secrets

3. **replaceSecretsWithEnvVars(value string, secrets map[string]string)** - Replaces secret expressions with env var references
   - Transforms `${{ secrets.DD_API_KEY }}` to `${DD_API_KEY}`
   - Used in MCP config headers rendering

4. **collectHTTPMCPHeaderSecrets(tools map[string]any)** - Collects secrets from all HTTP MCP tools
   - Scans all tools for HTTP MCP configurations
   - Extracts secrets from each tool's headers
   - Returns consolidated map for execution step env

### Rendering Logic

#### In renderSharedMCPConfig (mcp-config.go):

1. **Extract secrets** when rendering HTTP MCP configs for copilot engine
2. **Add env section** to property order when secrets are found
3. **Render headers** with env var references instead of secret expressions
4. **Render env** with passthrough syntax (`\${VAR_NAME}`)

#### In GetExecutionSteps (copilot_engine.go):

1. **Collect all HTTP MCP header secrets** from workflow tools
2. **Add to execution step env map** with secret expressions

## Security Benefits

1. **Secrets never appear in MCP config** - Only env var references
2. **Proper GitHub Actions secret handling** - Uses `${{ secrets.* }}` syntax
3. **Environment isolation** - Each MCP server receives only its required secrets
4. **Consistent pattern** - Matches existing GitHub remote MCP server implementation

## Test Coverage

### Unit Tests (mcp_http_headers_test.go)
- extractSecretsFromValue
- extractSecretsFromHeaders
- replaceSecretsWithEnvVars
- collectHTTPMCPHeaderSecrets
- renderSharedMCPConfig with HTTP headers

### Integration Tests (copilot_mcp_http_integration_test.go)
- Single HTTP MCP tool with secrets
- Multiple HTTP MCP tools
- HTTP MCP without secrets
- Property ordering
- Env variable sorting

All tests pass ✓

Related Skills

temporary-id-safe-output

4265
from github/gh-aw

Plan for adding temporary ID support to safe output jobs

skills

4265
from github/gh-aw

Using Skillz MCP Server with Docker

reporting

4265
from github/gh-aw

Guidelines for formatting reports using HTML details/summary tags

messages

4265
from github/gh-aw

Instructions for adding new message types to the safe-output messages system

javascript-refactoring

4265
from github/gh-aw

Instructions for refactoring JavaScript code into separate files

github-script

4265
from github/gh-aw

Best practices for writing JavaScript code for GitHub Actions using github-script

github-pr-query

4265
from github/gh-aw

Query GitHub pull requests efficiently with jq argument support for filtering

github-mcp-server

4265
from github/gh-aw

GitHub MCP Server Documentation

github-issue-query

4265
from github/gh-aw

Query GitHub issues efficiently with jq argument support for filtering

github-discussion-query

4265
from github/gh-aw

Query GitHub discussions efficiently with jq argument support for filtering

github-copilot-agent-tips-and-tricks

4265
from github/gh-aw

Tips and Tricks for Working with GitHub Copilot Agent PRs

gh-agent-task

4265
from github/gh-aw

GitHub CLI Agent Task Extension