feat!: initial release

Author: christian-andersson

.github/workflows/docker-publish.yml

@@ -0,0 +1,70 @@
+name: Release and Publish
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+
+    outputs:
+      new_tag: ${{ steps.tag.outputs.new_tag }}
+      changelog: ${{ steps.tag.outputs.changelog }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Bump version and push tag
+        id: tag
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: patch
+          release_branches: main
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          tag_name: ${{ steps.tag.outputs.new_tag }}
+          name: Release ${{ steps.tag.outputs.new_tag }}
+          body: ${{ steps.tag.outputs.changelog }}
+          generate_release_notes: true
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ steps.tag.outputs.new_tag }}
+          labels: |
+            org.opencontainers.image.description=MCP server for GitHub Actions - lookup actions and get SHA-pinned references
+            org.opencontainers.image.licenses=MIT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -0,0 +1,17 @@
+# Environment
+.env
+.env.*
+
+# IDE
+.idea
+.vscode
+*.swp
+*.swo
+
+# Build artifacts
+github-actions-mcp
+
+# OS
+.DS_Store
+Thumbs.db
+.claude/settings.local.json

.npmrc

@@ -0,0 +1 @@
+registry=https://registry.npmjs.org/

Dockerfile

@@ -0,0 +1,17 @@
+FROM denoland/deno:2.6.1
+
+WORKDIR /app
+
+# Copy all source files
+COPY deno.json deno.lock ./
+COPY main.ts ./
+COPY src/ ./src/
+
+# Cache dependencies
+RUN deno cache main.ts
+
+# Run as non-root user (deno user is provided by the base image)
+USER deno
+
+# The MCP server uses stdio transport
+CMD ["deno", "run", "--allow-net", "--allow-env", "main.ts"]

README.md

@@ -0,0 +1,249 @@
+# MCP GitHub Actions
+
+A Deno-based MCP (Model Context Protocol) service that helps you securely reference GitHub Actions by providing:
+
+- Latest version lookup for any GitHub Action
+- Commit SHA retrieval for specific version tags
+- Immutability status checking for releases
+- Ready-to-use SHA-pinned references
+
+## Why Use This?
+
+GitHub Actions referenced by tag (e.g., `actions/checkout@v4`) can be vulnerable to supply chain attacks if the tag is moved to point to malicious code. This MCP service helps you:
+
+1. **Find the commit SHA** for any action version
+2. **Check if a release is immutable** (protected from modification)
+3. **Get secure references** in the format `owner/repo@sha # version`
+
+## Installation
+
+### Prerequisites
+
+- [Deno](https://deno.land/) 2.x or later
+
+### Setup with Claude Desktop
+
+Add to your Claude Desktop configuration (`claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "github-actions": {
+      "command": "deno",
+      "args": [
+        "run",
+        "--allow-net",
+        "--allow-env",
+        "/path/to/mcp-github-actions/main.ts"
+      ],
+      "env": {
+        "GITHUB_TOKEN": "your-github-token-optional"
+      }
+    }
+  }
+}
+```
+
+### Setup with Claude Code CLI
+
+```bash
+claude mcp add github-actions -- deno run --allow-net --allow-env /path/to/mcp-github-actions/main.ts
+```
+
+### Setup with Docker
+
+The service is available as a Docker image using stdio transport.
+
+**Pull the image:**
+
+```bash
+docker pull ghcr.io/tripletex/mcp-github-action:latest
+```
+
+**Run directly:**
+
+```bash
+docker run --rm -i -e GITHUB_TOKEN ghcr.io/tripletex/mcp-github-action:latest
+```
+
+**Claude Desktop configuration:**
+
+```json
+{
+  "mcpServers": {
+    "github-actions": {
+      "command": "docker",
+      "args": [
+        "run",
+        "--rm",
+        "-i",
+        "-e", "GITHUB_TOKEN",
+        "ghcr.io/tripletex/mcp-github-action:latest"
+      ],
+      "env": {
+        "GITHUB_TOKEN": "your-github-token-optional"
+      }
+    }
+  }
+}
+```
+
+**MCP Gateway configuration:**
+
+```yaml
+mcp_services:
+  - name: "github-actions"
+    alias: "github-actions"
+    type: "stdio"
+    command:
+      - docker
+      - run
+      - --rm
+      - -i
+      - -e
+      - GITHUB_TOKEN
+      - ghcr.io/tripletex/mcp-github-action:latest
+    timeout: 30
+```
+
+## Usage
+
+Once configured, ask Claude to look up GitHub Actions:
+
+**Example prompts:**
+
+- "Look up the latest version of actions/checkout"
+- "Get the secure reference for actions/setup-node@v4"
+- "Check if actions/cache@v4.2.0 is immutable"
+- "List all versions of actions/upload-artifact"
+
+## Tool: `lookup_action`
+
+### Parameters
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `action` | string | Yes | Action reference (e.g., `actions/checkout` or `actions/checkout@v4`) |
+| `include_all_versions` | boolean | No | List all available versions (default: false) |
+
+### Example Output
+
+```
+Action: actions/checkout
+
+Latest Version: v4.2.2
+  Commit SHA: 11bd71901bbe5b1630ceea73d27597364c9af683
+  Immutable: Yes
+  Published: 2024-10-23T14:05:06Z
+
+Recommended Usage (SHA-pinned):
+  uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+Security Notes:
+  - This release is immutable - the tag and assets are protected from modification.
+  - SHA-pinned references prevent supply chain attacks by ensuring you always use the exact same code.
+```
+
+## Authentication
+
+### Without Token (Default)
+
+- Works for public repositories only
+- Rate limit: 60 requests/hour
+
+### With Token (Recommended)
+
+Set the `GITHUB_TOKEN` environment variable:
+
+- Works for **private repositories**
+- Rate limit: 5,000 requests/hour
+- Required for organization private actions
+
+### Multi-Organization Support
+
+For accessing private repositories across multiple organizations, configure org-specific tokens:
+
+```bash
+# Org-specific tokens (format: GITHUB_TOKEN_<ORG_NAME>)
+# Hyphens in org names become underscores, all uppercase
+GITHUB_TOKEN_MY_ORG=ghp_xxx...            # For My-Org
+GITHUB_TOKEN_OTHER_ORG=ghp_yyy...         # For Other-Org
+GITHUB_TOKEN=ghp_zzz...                    # Fallback for public repos
+```
+
+**Token resolution order:**
+1. Org-specific token (`GITHUB_TOKEN_<ORG>`)
+2. Fallback token (`GITHUB_TOKEN`)
+3. Unauthenticated (public repos only)
+
+**Supported token types and required permissions:**
+
+| Token Type | Required Permissions | Notes |
+|------------|---------------------|-------|
+| Fine-grained PAT | `Contents: Read` + `Metadata: Read` | Recommended - scoped to specific repos/orgs |
+| Classic PAT | `repo` scope | Broader access - use only if fine-grained isn't suitable |
+| GitHub App | `Contents: Read` | Recommended for organizations |
+
+> **Note:** For private repositories, the token must have read access to repository contents. Without proper permissions, you'll receive a 404 error when looking up private actions.
+
+**Example Claude Desktop config with multi-org:**
+
+```json
+{
+  "mcpServers": {
+    "github-actions": {
+      "command": "deno",
+      "args": [
+        "run",
+        "--allow-net",
+        "--allow-env",
+        "/path/to/mcp-github-actions/main.ts"
+      ],
+      "env": {
+        "GITHUB_TOKEN_MY_ORG": "ghs_xxx...",
+        "GITHUB_TOKEN_OTHER_ORG": "ghs_yyy...",
+        "GITHUB_TOKEN": "ghp_zzz..."
+      }
+    }
+  }
+}
+```
+
+## Development
+
+```bash
+# Run the server
+deno task start
+
+# Run with watch mode (auto-reload)
+deno task dev
+
+# Type check
+deno task check
+
+# Lint
+deno task lint
+
+# Format
+deno task fmt
+
+# Compile to binary
+deno task compile
+```
+
+## Security Best Practices
+
+1. **Always use SHA-pinned references** in production workflows
+2. **Check immutability status** - immutable releases cannot be modified
+3. **Add version comments** for maintainability: `@sha # v4.2.0`
+4. **Use Dependabot/Renovate** to keep SHA references updated
+
+## References
+
+- [GitHub Immutable Releases](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases)
+- [Pinning GitHub Actions for Security](https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide)
+- [Model Context Protocol](https://modelcontextprotocol.io/)
+
+## License
+
+MIT

deno.json

@@ -0,0 +1,20 @@
+{
+  "name": "@mcp/github-actions",
+  "version": "1.0.0",
+  "exports": "./main.ts",
+  "tasks": {
+    "start": "deno run --allow-net --allow-env main.ts",
+    "dev": "deno run --watch --allow-net --allow-env main.ts",
+    "compile": "deno compile --allow-net --allow-env -o github-actions-mcp main.ts",
+    "check": "deno check main.ts",
+    "lint": "deno lint",
+    "fmt": "deno fmt"
+  },
+  "imports": {
+    "@modelcontextprotocol/sdk": "npm:@modelcontextprotocol/sdk@1.25.1",
+    "zod": "npm:zod@3.25.76"
+  },
+  "compilerOptions": {
+    "strict": true
+  }
+}