An MCP (Model Context Protocol) server that exposes GitHub REST API operations as MCP tools. The GitHub App credentials are isolated inside the server container so LLM agents never handle them directly.
Designed for use with the RockBot agent, but compatible with any MCP-capable client.
| Tool | Description |
|---|---|
list_user_repos |
List repositories for the authenticated user |
list_org_repos |
List repositories for an organization |
get_repo |
Get details of a specific repository |
list_issues |
List issues for a repository |
get_issue |
Get a specific issue |
create_issue |
Create a new issue |
update_issue |
Update title, body, or state of an issue |
add_issue_comment |
Add a comment to an issue |
list_issue_comments |
List comments on an issue |
list_pull_requests |
List pull requests for a repository |
get_pull_request |
Get a specific pull request |
create_pull_request |
Create a new pull request |
merge_pull_request |
Merge a pull request |
list_pr_files |
List files changed in a pull request |
get_file_contents |
Get decoded text contents of a file |
list_directory |
List contents of a directory |
list_branches |
List branches in a repository |
get_branch |
Get details of a specific branch |
- .NET 10 ASP.NET Core (minimal web app)
ModelContextProtocol.AspNetCoreβ SSE/HTTP transport- GitHub REST API via
HttpClientβ no extra SDK - GitHub App authentication (JWT β installation access token, auto-refreshed)
This server uses a GitHub App (not a personal access token) so it can access all repositories in an organization without being tied to any individual user account.
- Go to your organization's app creation page:
https://github.com/organizations/YOUR_ORG/settings/apps/new - Fill in the basics (name, homepage URL β these can be anything)
- Under Permissions β Repository permissions, grant:
- Contents: Read
- Issues: Read and write
- Metadata: Read (required, auto-selected)
- Pull requests: Read and write
- Under Where can this GitHub App be installed? select Only on this account
- Click Create GitHub App
- Note the App ID shown at the top of the app's settings page
On the app's settings page, scroll to Private keys and click Generate a private key. A .pem file will be downloaded β keep this safe, it cannot be retrieved again.
- In the app settings, click Install App in the left sidebar
- Click Install next to your organization
- Choose All repositories or select specific repos
- After install, note the Installation ID from the URL:
github.com/organizations/YOUR_ORG/settings/installations/XXXXXXXXXThe numeric suffix is the Installation ID.
- .NET 10 SDK
- A GitHub App created and installed (see above)
cd src/GitHubMcpServer
dotnet user-secrets set "GitHub:AppId" "YOUR_APP_ID"
dotnet user-secrets set "GitHub:InstallationId" "YOUR_INSTALLATION_ID"
# For the PEM key, edit the secrets.json file directly (multi-line value):
# Path: ~/.microsoft/usersecrets/8f3a2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c/secrets.json
# Add: "GitHub:PrivateKeyPem": "-----BEGIN RSA PRIVATE KEY-----\nMII...\n-----END RSA PRIVATE KEY-----\n"Or edit secrets.json directly:
{
"GitHub:AppId": "123456",
"GitHub:InstallationId": "78901234",
"GitHub:PrivateKeyPem": "-----BEGIN RSA PRIVATE KEY-----\nMIIE...\n-----END RSA PRIVATE KEY-----\n"
}cd src/GitHubMcpServer
dotnet runThe server starts on http://localhost:5000. Connect an MCP client to /sse.
docker build -t rockylhotka/mcp-github:latest .docker run -p 8080:8080 \
-e GitHub__AppId=YOUR_APP_ID \
-e GitHub__InstallationId=YOUR_INSTALLATION_ID \
-e "GitHub__PrivateKeyPem=-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----
" \
rockylhotka/mcp-github:latestrockbotnamespace exists:kubectl create namespace rockbot- GitHub App created and installed (see above)
kubectl create secret generic github-mcp-secrets \
--namespace rockbot \
--from-literal=GitHub__AppId=YOUR_APP_ID \
--from-literal=GitHub__InstallationId=YOUR_INSTALLATION_ID \
--from-file=GitHub__PrivateKeyPem=./your-app.YYYY-MM-DD.private-key.pemNote: Using
--from-filefor the PEM key preserves newlines correctly. Do not use--from-literalfor the PEM value.
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yamlkubectl rollout status deployment/mcp-github -n rockbot
kubectl logs -l app=mcp-github -n rockbotThe service is accessible within the cluster at:
http://mcp-github.rockbot.svc.cluster.local/sse
docker build -t rockylhotka/mcp-github:latest .
docker push rockylhotka/mcp-github:latest
kubectl rollout restart deployment/mcp-github -n rockbot- On first request (and every ~55 minutes), the server generates a short-lived JWT (10-minute expiry) signed with the App's RSA private key
- The JWT is exchanged with GitHub's API for an installation access token (1-hour expiry)
- The installation token is cached and injected automatically into every GitHub API request via a
DelegatingHandler - The private key never leaves the container
Contributions are welcome! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-feature) - Commit your changes
- Push and open a Pull Request
Please read our Code of Conduct before contributing.
This project is licensed under the MIT License.
- Model Context Protocol for the MCP specification
- RockBot as the primary consuming agent