fix(github): send User-Agent on all GitHub API calls#399
Closed
viktormarinho wants to merge 10 commits intomainfrom
Closed
fix(github): send User-Agent on all GitHub API calls#399viktormarinho wants to merge 10 commits intomainfrom
viktormarinho wants to merge 10 commits intomainfrom
Conversation
Moves the github MCP off kubernetes-bun and onto CF Workers via `wrangler deploy`. Removes it from deploy.json / the shared `deco deploy` pipeline and adds a dedicated `deploy-github.yml` workflow. Key changes to make it isolate-safe: - Installation map + trigger state migrated from in-memory / Mesh StudioKV to a Workers KV binding (`INSTALLATIONS`) with `installation:` and `triggers:` prefixes - All module-level `process.env` reads moved into lazy closures (Workers doesn't populate `process.env` at module init) - Upstream MCP tool discovery deferred to first request (previously a top-level `await`) and runtime construction cached per isolate - Webhook + OAuth closures now pull secrets per-request Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Emits [Webhook] log lines on ingress, on signature failure, on skip (no installation / no mapping), and on successful notify — keyed by x-github-delivery so a single event can be traced end to end in Cloudflare observability. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…cf-worker-check # Conflicts: # github/server/main.ts
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
triggers.notify() is fire-and-forget — on Workers the internal fetch to Mesh got cancelled as soon as we returned the HTTP response, silently dropping events. Replaced with a direct Mesh callback delivery that reads trigger credentials from KV and returns an awaitable Promise, which we hand to ctx.waitUntil so Workers keeps the isolate alive until the POST completes. Threads ExecutionContext through handle() → webhook handler. Also logs every success / failure per delivery id. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…owner If two users share a GitHub App installation, the second OAuth would overwrite installation:<id> but leave the first user's connection:<oldConn>:<id> entry behind. A later removeByConnection(oldConn) then deleted the live forward mapping for the new owner. set() now reads the current owner first and cleans up its reverse- index entry in the same batch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…cf-worker-check # Conflicts: # github/server/main.ts
Cloudflare Workers' fetch doesn't set a default User-Agent, and GitHub's API rejects UA-less requests with 403 "Request forbidden by administrative rules" — the worker was crashing at upstream tool discovery (getAppInstallationToken) on the very first request. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Superseded — opening a fresh PR rebased off main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Worker crashed with CF error 1101 on the first
/mcprequest. Wrangler tail showed:Cloudflare Workers' `fetch` doesn't set a default `User-Agent`; Node/k8s did, which hid the issue until now. Added `User-Agent: deco-cms-github-mcp` to every outbound GitHub API call (JWT-authed installations list, user installations list, OAuth token exchange/refresh, and the MCP proxy transport).
Test plan
🤖 Generated with Claude Code
Summary by cubic
Migrated the GitHub MCP to Cloudflare Workers and fixed GitHub API 403s by sending a User-Agent on every request. Adds durable KV storage, lazy env loading, and a dedicated deploy workflow.
Bug Fixes
User-Agent: deco-cms-github-mcpon all GitHub API calls (installations list, OAuth exchange/refresh, MCP transport).ctx.waitUntil.Migration
wranglerwith custom domaingithub-mcp.decocms.com.INSTALLATIONS), replacing in-memory/StudioKV.deploy-github.yml; updategithub/package.jsonscripts; add@cloudflare/workers-types,wrangler, andwrangler.toml.Written for commit aad7096. Summary will update on new commits.