MCP.directory

http-mcp-headers

by githubnext
0
0
Source

HTTP MCP Header Secret Support - Implementation Summary

Install

mkdir -p .claude/skills/http-mcp-headers && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6783" && unzip -o skill.zip -d .claude/skills/http-mcp-headers && rm skill.zip

Installs to .claude/skills/http-mcp-headers

About this skill

HTTP MCP Header Secret Support - Implementation Summary

This document demonstrates the complete implementation of HTTP MCP header secret support for the copilot engine.

Problem Statement

When using HTTP MCP tools with headers containing GitHub Actions secrets, the generated mcp-config.json needs to:

  1. Extract secrets from headers (e.g., ${{ secrets.DD_API_KEY }})
  2. Declare those env variables in the execution step
  3. Configure the MCP config's "env" section to passthrough those variables
  4. Use the passed variables in the headers section

Example Workflow

on:
  workflow_dispatch:
permissions:
  contents: read
engine: copilot
mcp-servers:
  datadog:
    type: http
    url: "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp"
    headers:
      DD_API_KEY: "${{ secrets.DD_API_KEY }}"
      DD_APPLICATION_KEY: "${{ secrets.DD_APPLICATION_KEY }}"
      DD_SITE: "${{ secrets.DD_SITE || 'datadoghq.com' }}"
    allowed:
      - search_datadog_dashboards
      - search_datadog_slos
      - search_datadog_metrics
      - get_datadog_metric

# Datadog Dashboard Search

Search for Datadog dashboards and provide a summary.

Generated Output

1. MCP Config (mcp-config.json)

{
  "mcpServers": {
    "datadog": {
      "type": "http",
      "url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp",
      "headers": {
        "DD_API_KEY": "${DD_API_KEY}",
        "DD_APPLICATION_KEY": "${DD_APPLICATION_KEY}",
        "DD_SITE": "${DD_SITE}"
      },
      "tools": [
        "search_datadog_dashboards",
        "search_datadog_slos",
        "search_datadog_metrics",
        "get_datadog_metric"
      ],
      "env": {
        "DD_API_KEY": "\\${DD_API_KEY}",
        "DD_APPLICATION_KEY": "\\${DD_APPLICATION_KEY}",
        "DD_SITE": "\\${DD_SITE}"
      }
    }
  }
}

2. Execution Step Environment Variables

env:
  DD_API_KEY: ${{ secrets.DD_API_KEY }}
  DD_APPLICATION_KEY: ${{ secrets.DD_APPLICATION_KEY }}
  DD_SITE: ${{ secrets.DD_SITE || 'datadoghq.com' }}
  GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  # ... other env vars

Implementation Details

Key Functions

  1. extractSecretsFromValue(value string) - Extracts secret expressions from a string

    • Parses ${{ secrets.VAR_NAME }} patterns
    • Handles default values: ${{ secrets.VAR || 'default' }}
    • Returns map of variable names to full expressions

  2. extractSecretsFromHeaders(headers map[string]string) - Extracts all secrets from HTTP headers

    • Iterates through all header values
    • Collects all unique secret expressions
    • Returns consolidated map of secrets

  3. replaceSecretsWithEnvVars(value string, secrets map[string]string) - Replaces secret expressions with env var references

    • Transforms ${{ secrets.DD_API_KEY }} to ${DD_API_KEY}
    • Used in MCP config headers rendering

  4. collectHTTPMCPHeaderSecrets(tools map[string]any) - Collects secrets from all HTTP MCP tools

    • Scans all tools for HTTP MCP configurations
    • Extracts secrets from each tool's headers
    • Returns consolidated map for execution step env

Rendering Logic

In renderSharedMCPConfig (mcp-config.go):

  1. Extract secrets when rendering HTTP MCP configs for copilot engine
  2. Add env section to property order when secrets are found
  3. Render headers with env var references instead of secret expressions
  4. Render env with passthrough syntax (\${VAR_NAME})

In GetExecutionSteps (copilot_engine.go):

  1. Collect all HTTP MCP header secrets from workflow tools
  2. Add to execution step env map with secret expressions

Security Benefits

  1. Secrets never appear in MCP config - Only env var references
  2. Proper GitHub Actions secret handling - Uses ${{ secrets.* }} syntax
  3. Environment isolation - Each MCP server receives only its required secrets
  4. Consistent pattern - Matches existing GitHub remote MCP server implementation

Test Coverage

Unit Tests (mcp_http_headers_test.go)

  • extractSecretsFromValue
  • extractSecretsFromHeaders
  • replaceSecretsWithEnvVars
  • collectHTTPMCPHeaderSecrets
  • renderSharedMCPConfig with HTTP headers

Integration Tests (copilot_mcp_http_integration_test.go)

  • Single HTTP MCP tool with secrets
  • Multiple HTTP MCP tools
  • HTTP MCP without secrets
  • Property ordering
  • Env variable sorting

All tests pass ✓

More by githubnext

View all skills by githubnext

console-rendering

githubnext

Instructions for using the struct tag-based console rendering system in Go

00

agentic-chat

githubnext

AI assistant for creating clear, actionable task descriptions for GitHub Copilot agents

00

javascript-refactoring

githubnext

Instructions for refactoring JavaScript code into separate files

00

messages

githubnext

Instructions for adding new message types to the safe-output messages system

00

reporting

githubnext

Guidelines for formatting reports using HTML details/summary tags

00

debugging-workflows

githubnext

Guide for debugging GitHub Agentic Workflows - analyzing logs, auditing runs, and troubleshooting issues

40

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318399

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

340397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

452339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
Nile DatabaseNile Database

Integrate Nile Database for seamless TypeScript-based server operations, supporting stdio and HTTP for AI workflow datab

160 tools
Fetch JSONPathFetch JSONPath

Fetch JSONPath retrieves and extracts data from HTTP APIs using JSONPath, supporting batch processing, custom headers, p

24 tools
MarkitdownMarkitdown

Easily convert markdown to PDF using Markitdown MCP server. Supports HTTP, STDIO, and SSE for fast converting markdown t

90,3881 tools
Task MasterTask Master

Boost productivity with Task Master: an AI-powered tool for project management and agile development workflows, integrat

25,8320 tools
OpenDiaOpenDia

OpenDia is a web based diagram tool enabling real-time collaborative diagram creation and editing via easy-to-use web in

1,78118 tools
Feishu (Lark)Feishu (Lark)

Integrate Feishu (Lark) for seamless document retrieval, messaging, and collaboration via TypeScript CLI or HTTP server

4880 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.