MCP Official source

GitHub MCP Server

GitHub's official MCP server for repositories, issues, pull requests, Actions, code security, and related workflows.

Quick start

docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN ghcr.io/github/github-mcp-server

What it does

GitHub MCP Server exposes GitHub workflows as agent tools. Toolsets can be enabled selectively for repositories, issues, pull requests, Actions, security, and other domains.

Best for

  • Repository and pull request research
  • Issue triage and release workflows
  • Agent-assisted code review and CI investigation

Security note

Start with a fine-grained token and the smallest necessary permissions. Prefer read-only mode for research tasks, restrict enabled toolsets, and keep tokens in environment variables rather than committed configuration files.

Setup and authentication

Choose the installation path supported by your MCP client, then create credentials for the specific repositories and actions the workflow requires. A fine-grained personal access token or appropriately scoped application identity is preferable to a classic token with organization-wide access. Separate research credentials from credentials capable of merging code, changing settings, or managing secrets.

Production checks

Enable toolsets incrementally. First verify repository discovery and read-only queries, then test issue or pull-request writes in a sandbox repository. Keep branch protection, required reviews, and CI controls in place; an MCP integration should work through those controls rather than bypass them. Record the identity used by the agent so audit logs distinguish automated actions from human actions.

Alternatives

The GitHub CLI or API is often better for a fixed, deterministic automation. GitHub MCP is useful when an agent needs to discover and combine repository information across several steps. For local project files without GitHub API access, compare the Filesystem MCP Server.

Choose toolsets from the workflow

The server can expose many GitHub domains, but an agent rarely needs all of them at once. Enable repository and pull-request tools for code review, issue tools for triage, or Actions tools for CI investigation. A smaller tool list improves both security and model selection: the agent has fewer ways to perform an unintended action and less ambiguity about which capability fits the request.

Separate read workflows from write workflows. Searching code, reading a pull request, and inspecting check logs can usually run with read-only permissions. Creating issues, commenting, merging, changing workflows, or managing security alerts should use a distinct configuration with explicit user approval. Organization administration and destructive operations should not share credentials with everyday repository research.

Token and deployment choices

Prefer a fine-grained personal access token limited to selected repositories, or an approved GitHub App installation for team deployments. Record the exact scopes and repository access in the configuration documentation. Load the secret through the client environment or secret manager and make sure command output, agent traces, and screenshots cannot print it.

The Docker quick start is useful for local isolation, but it does not reduce the permissions of the supplied token. Pin a reviewed container version or digest for controlled environments and define an update process. If you build the Go binary directly, verify the source revision and retain the build provenance.

A low-risk acceptance test

Connect the server to a disposable repository. Ask the client to list repository metadata, read one issue, and inspect a pull request without changing anything. Review the MCP tool calls and confirm that disabled toolsets are unavailable. Only then test a narrowly authorized write, such as creating a labeled draft issue, and verify that the action is visible in GitHub’s audit trail. This staged test makes the actual permission boundary observable before the integration touches production repositories.