> ## Documentation Index
> Fetch the complete documentation index at: https://opensre.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# GitHub

> Connect GitHub so OpenSRE can correlate recent commits and code changes with incidents

OpenSRE connects to GitHub via the GitHub MCP server to search code, browse recent commits, inspect files, and trace changes correlated with alerts — helping identify which deployment or code change triggered an incident.

## First launch (macOS & Windows)

The first time you launch the interactive shell on macOS or Windows, OpenSRE asks
you to sign in to GitHub in your browser before the prompt appears. This runs the
same browser device-flow sign-in as Option 1 below, then connects GitHub
automatically. Sign in once and OpenSRE remembers it for future launches.

You can bypass this step — for example if GitHub sign-in is unavailable:

```bash theme={null}
OPENSRE_SKIP_GITHUB_LOGIN=1 opensre
```

The first-launch prompt never runs on Linux or in CI/automation, and is skipped
when GitHub is already configured.

## Prerequisites

* GitHub account with repository access
* One of: browser sign-in (recommended), a personal access token, or GitHub Copilot MCP access

## Setup

### Option 1: Interactive CLI (browser sign-in)

```bash theme={null}
opensre integrations setup
```

Select **GitHub** when prompted, then choose **Authorize in browser**. OpenSRE
opens GitHub's device authorization page and prints a one-time code — approve it
in your browser and the token is captured automatically. No personal access
token is required.

This uses GitHub's OAuth device flow, which has no client secret. The public
OAuth App client id ships with OpenSRE; override it with
`OPENSRE_GITHUB_OAUTH_CLIENT_ID` if you register your own app.

If you prefer, the same prompt lets you **paste a token (PAT)** instead.

### Option 2: Environment variables

```bash theme={null}
GITHUB_MCP_AUTH_TOKEN=ghp_your_personal_access_token
GITHUB_MCP_URL=https://api.githubcopilot.com/mcp/   # default
GITHUB_MCP_MODE=streamable-http                      # default
GITHUB_MCP_TOOLSETS=repos,issues,pull_requests,actions  # default
```

| Variable                         | Default                              | Description                                                                           |
| -------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------- |
| `GITHUB_MCP_AUTH_TOKEN`          | —                                    | GitHub personal access token. Required unless you authorize in the browser (Option 1) |
| `GITHUB_MCP_URL`                 | `https://api.githubcopilot.com/mcp/` | GitHub MCP server URL                                                                 |
| `GITHUB_MCP_MODE`                | `streamable-http`                    | Transport mode: `streamable-http`, `sse`, or `stdio`                                  |
| `GITHUB_MCP_TOOLSETS`            | `repos,issues,pull_requests,actions` | Comma-separated toolsets to enable                                                    |
| `GITHUB_MCP_COMMAND`             | —                                    | Command to run (required for `stdio` mode only)                                       |
| `GITHUB_MCP_ARGS`                | —                                    | Space-separated args for `stdio` mode                                                 |
| `OPENSRE_GITHUB_OAUTH_CLIENT_ID` | *(built-in)*                         | OAuth App client id for browser sign-in (device flow). Override to use your own app   |

### Option 3: Persistent store

```json theme={null}
{
  "version": 1,
  "integrations": [
    {
      "id": "github-prod",
      "service": "github",
      "status": "active",
      "credentials": {
        "url": "https://api.githubcopilot.com/mcp/",
        "mode": "streamable-http",
        "auth_token": "ghp_your_token",
        "toolsets": ["repos", "issues", "pull_requests", "actions"]
      }
    }
  ]
}
```

## Creating a personal access token

1. In GitHub, go to **Settings** → **Developer settings** → **Personal access tokens** → **Tokens (classic)**
2. Click **Generate new token**
3. Select the following scopes: `repo`, `read:org`
4. Copy the token

<Info>
  For GitHub Enterprise Server, set `GITHUB_MCP_URL` to your enterprise MCP endpoint.
</Info>

## Transport modes

| Mode              | When to use                                                                        |
| ----------------- | ---------------------------------------------------------------------------------- |
| `streamable-http` | Default. Works with GitHub Copilot MCP and most hosted instances                   |
| `sse`             | For older MCP servers using Server-Sent Events                                     |
| `stdio`           | For running a local MCP server process (`npx @modelcontextprotocol/server-github`) |

## Verify

```bash theme={null}
opensre integrations verify github
```

Expected output:

```
Service: github
Status: passed
Detail: GitHub MCP validated for your-username; discovered 18 tools including repository source investigation helpers
```

## Troubleshooting

| Symptom                                 | Fix                                                                                                    |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| **Authentication failed**               | Check that the token has `repo` scope and is not expired                                               |
| **Required tools missing**              | Ensure toolsets include `repos` — it provides `get_file_contents`, `list_commits`, etc.                |
| **Connection refused**                  | Verify `GITHUB_MCP_URL` is reachable and the MCP server is running                                     |
| **Browser sign-in unavailable**         | Set `OPENSRE_GITHUB_OAUTH_CLIENT_ID` to a device-flow-enabled OAuth App, or fall back to pasting a PAT |
| **First-launch sign-in is blocking me** | Set `OPENSRE_SKIP_GITHUB_LOGIN=1` to bypass the first-launch GitHub prompt                             |

## Security best practices

* Use a **fine-grained personal access token** with read-only repository access.
* Limit token scope to the repositories OpenSRE needs to inspect.
* Store the token in `.env`, not in source code.
