Support GitHub MCP in-box (#2051)

* Support GitHub MCP inbox

Fixes microsoft/vscode#254836

* Be auth provider aware, and bump version on every config change

* tests and fixed ghe url

* Move things around so the layers make more sense

* move settings to experimental section

* move def prov

* who needs new APIs anyway?

* Ask for auth

* fix tests

* disable `#githubRepo` when GH MCP is enabled

* Include settings for readonly & lockdown

* misc

* fix test

Author: TylerLeonhardt

package.json

@@ -1061,6 +1061,7 @@
 				"modelDescription": "Searches a GitHub repository for relevant source code snippets. Only use this tool if the user is very clearly asking for code snippets from a specific GitHub repository. Do not use this tool for Github repos that the user has open in their workspace.",
 				"userDescription": "%github.copilot.tools.githubRepo.userDescription%",
 				"icon": "$(repo)",
+				"when": "!config.github.copilot.chat.githubMcpServer.enabled",
 				"inputSchema": {
 					"type": "object",
 					"properties": {
@@ -1841,6 +1842,12 @@
 				"when": "!github.copilot.interactiveSession.disabled"
 			}
 		],
+		"mcpServerDefinitionProviders": [
+			{
+				"id": "github",
+				"label": "GitHub"
+			}
+		],
 		"viewsWelcome": [
 			{
 				"view": "debug",
@@ -2745,6 +2752,41 @@
 			{
 				"id": "experimental",
 				"properties": {
+					"github.copilot.chat.githubMcpServer.enabled": {
+						"type": "boolean",
+						"default": false,
+						"markdownDescription": "%github.copilot.config.githubMcpServer.enabled%",
+						"tags": [
+							"experimental"
+						]
+					},
+					"github.copilot.chat.githubMcpServer.toolsets": {
+						"type": "array",
+						"default": ["default"],
+						"markdownDescription": "%github.copilot.config.githubMcpServer.toolsets%",
+						"items": {
+							"type": "string"
+						},
+						"tags": [
+							"experimental"
+						]
+					},
+					"github.copilot.chat.githubMcpServer.readonly": {
+						"type": "boolean",
+						"default": false,
+						"markdownDescription": "%github.copilot.config.githubMcpServer.readonly%",
+						"tags": [
+							"experimental"
+						]
+					},
+					"github.copilot.chat.githubMcpServer.lockdown": {
+						"type": "boolean",
+						"default": false,
+						"markdownDescription": "%github.copilot.config.githubMcpServer.lockdown%",
+						"tags": [
+							"experimental"
+						]
+					},
 					"github.copilot.chat.imageUpload.enabled": {
 						"type": "boolean",
 						"default": true,

package.nls.json

@@ -416,5 +416,9 @@
 	"github.copilot.cli.sessions.newTerminalSession": "New Agent Session in Terminal",
 	"github.copilot.command.openCopilotAgentSessionsInBrowser": "Open in Browser",
 	"github.copilot.command.closeChatSessionPullRequest.title": "Close Pull Request",
-	"github.copilot.command.applyCopilotCLIAgentSessionChanges": "Apply Changes"
+	"github.copilot.command.applyCopilotCLIAgentSessionChanges": "Apply Changes",
+	"github.copilot.config.githubMcpServer.enabled": "Enable built-in support for the GitHub MCP Server.",
+	"github.copilot.config.githubMcpServer.toolsets": "Specify toolsets to use from the GitHub MCP Server.",
+	"github.copilot.config.githubMcpServer.readonly": "Enable read-only mode for the GitHub MCP Server. When enabled, only read tools are available.",
+	"github.copilot.config.githubMcpServer.lockdown": "Enable lockdown mode for the GitHub MCP Server. When enabled, hides public issue details created by users without push access."
 }

src/extension/extension/vscode-node/contributions.ts

@@ -24,6 +24,7 @@ import { DiagnosticsContextContribution } from '../../diagnosticsContext/vscode/
 import { LanguageModelProxyContrib } from '../../externalAgents/vscode-node/lmProxyContrib';
 import { WalkthroughCommandContribution } from '../../getting-started/vscode-node/commands';
 import * as newWorkspaceContribution from '../../getting-started/vscode-node/newWorkspace.contribution';
+import { GitHubMcpContrib } from '../../githubMcp/vscode-node/githubMcp.contribution';
 import { IgnoredFileProviderContribution } from '../../ignore/vscode-node/ignoreProvider';
 import { InlineEditProviderFeature } from '../../inlineEdits/vscode-node/inlineEditProviderFeature';
 import { FixTestFailureContribution } from '../../intents/vscode-node/fixTestFailureContributions';
@@ -86,7 +87,8 @@ export const vscodeNodeContributions: IExtensionContributionFactory[] = [
 	asContributionFactory(CompletionsCoreContribution),
 	asContributionFactory(CompletionsUnificationContribution),
 	workspaceIndexingContribution,
-	asContributionFactory(ChatSessionsContrib)
+	asContributionFactory(ChatSessionsContrib),
+	asContributionFactory(GitHubMcpContrib)
 ];
 
 /**

src/extension/githubMcp/common/githubMcpDefinitionProvider.ts

@@ -0,0 +1,143 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as l10n from '@vscode/l10n';
+import type { CancellationToken, McpHttpServerDefinition, McpServerDefinitionProvider } from 'vscode';
+import { authProviderId, IAuthenticationService } from '../../../platform/authentication/common/authentication';
+import { AuthProviderId, ConfigKey, IConfigurationService } from '../../../platform/configuration/common/configurationService';
+import { ILogService } from '../../../platform/log/common/logService';
+import { Event } from '../../../util/vs/base/common/event';
+import { URI } from '../../../util/vs/base/common/uri';
+
+const EnterpriseURLConfig = 'github-enterprise.uri';
+
+export class GitHubMcpDefinitionProvider implements McpServerDefinitionProvider<McpHttpServerDefinition> {
+
+	readonly onDidChangeMcpServerDefinitions: Event<void>;
+
+	constructor(
+		@IConfigurationService private readonly configurationService: IConfigurationService,
+		@IAuthenticationService private readonly authenticationService: IAuthenticationService,
+		@ILogService private readonly logService: ILogService
+	) {
+		const configurationEvent = Event.chain(configurationService.onDidChangeConfiguration, $ => $
+			.filter(e => {
+				// If they change the toolsets
+				if (e.affectsConfiguration(ConfigKey.GitHubMcpToolsets.fullyQualifiedId)) {
+					logService.debug('GitHubMcpDefinitionProvider: Configuration change affects GitHub MCP toolsets.');
+					return true;
+				}
+				// If they change readonly mode
+				if (e.affectsConfiguration(ConfigKey.GitHubMcpReadonly.fullyQualifiedId)) {
+					logService.debug('GitHubMcpDefinitionProvider: Configuration change affects GitHub MCP readonly mode.');
+					return true;
+				}
+				// If they change lockdown mode
+				if (e.affectsConfiguration(ConfigKey.GitHubMcpLockdown.fullyQualifiedId)) {
+					logService.debug('GitHubMcpDefinitionProvider: Configuration change affects GitHub MCP lockdown mode.');
+					return true;
+				}
+				// If they change to GHE or GitHub.com
+				if (e.affectsConfiguration(ConfigKey.Shared.AuthProvider.fullyQualifiedId)) {
+					logService.debug('GitHubMcpDefinitionProvider: Configuration change affects GitHub auth provider.');
+					return true;
+				}
+				// If they change the GHE URL
+				if (e.affectsConfiguration(EnterpriseURLConfig)) {
+					logService.debug('GitHubMcpDefinitionProvider: Configuration change affects GitHub Enterprise URL.');
+					return true;
+				}
+				return false;
+			})
+			// void event
+			.map(() => { })
+		);
+		let havePermissiveToken = !!this.authenticationService.permissiveGitHubSession;
+		const authEvent = Event.chain(this.authenticationService.onDidAuthenticationChange, $ => $
+			.filter(() => {
+				const hadToken = havePermissiveToken;
+				havePermissiveToken = !!this.authenticationService.permissiveGitHubSession;
+				return hadToken !== havePermissiveToken;
+			})
+			.map(() => {
+				this.logService.debug(`GitHubMcpDefinitionProvider: Permissive GitHub session availability changed: ${havePermissiveToken}`);
+			})
+		);
+		this.onDidChangeMcpServerDefinitions = Event.any(configurationEvent, authEvent);
+	}
+
+	private get toolsets(): string[] {
+		return this.configurationService.getConfig<string[]>(ConfigKey.GitHubMcpToolsets);
+	}
+
+	private get readonly(): boolean {
+		return this.configurationService.getConfig<boolean>(ConfigKey.GitHubMcpReadonly);
+	}
+
+	private get lockdown(): boolean {
+		return this.configurationService.getConfig<boolean>(ConfigKey.GitHubMcpLockdown);
+	}
+
+	private get gheConfig(): string | undefined {
+		return this.configurationService.getNonExtensionConfig<string>(EnterpriseURLConfig);
+	}
+
+	private getGheUri(): URI {
+		const uri = this.gheConfig;
+		if (!uri) {
+			throw new Error('GitHub Enterprise URI is not configured.');
+		}
+		// Prefix with 'copilot-api.'
+		const url = URI.parse(uri).with({ path: '/mcp/' });
+		return url.with({ authority: `copilot-api.${url.authority}` });
+	}
+
+	provideMcpServerDefinitions(): McpHttpServerDefinition[] {
+		const providerId = authProviderId(this.configurationService);
+		const toolsets = this.toolsets.sort().join(',');
+		const readonly = this.readonly;
+		const lockdown = this.lockdown;
+
+		const basics = providerId === AuthProviderId.GitHubEnterprise
+			? { label: 'GitHub Enterprise', uri: this.getGheUri() }
+			: { label: 'GitHub', uri: URI.parse('https://api.githubcopilot.com/mcp/') };
+
+		// Build headers object conditionally
+		const headers: Record<string, string> = {};
+		// Build version string with toolsets and flags
+		let version = toolsets.length ? toolsets : '0';
+		if (toolsets.length > 0) {
+			headers['X-MCP-Toolsets'] = toolsets;
+		}
+		if (readonly) {
+			headers['X-MCP-Readonly'] = 'true';
+			version += '|readonly';
+		}
+		if (lockdown) {
+			headers['X-MCP-Lockdown'] = 'true';
+			version += '|lockdown';
+		}
+		return [
+			{
+				...basics,
+				headers,
+				version
+			}
+		];
+	}
+
+	async resolveMcpServerDefinition(server: McpHttpServerDefinition, token: CancellationToken): Promise<McpHttpServerDefinition> {
+		const session = await this.authenticationService.getPermissiveGitHubSession({
+			createIfNone: {
+				detail: l10n.t('Additional permissions are required to use GitHub MCP Server'),
+			},
+		});
+		if (!session) {
+			throw new Error('Authentication required');
+		}
+		server.headers['Authorization'] = `Bearer ${session.accessToken}`;
+		return server;
+	}
+}