A Deno-based MCP (Model Context Protocol) service that helps you securely reference GitHub Actions by providing:
- Latest version lookup for any GitHub Action
- Commit SHA retrieval for specific version tags
- Immutability status checking for releases
- Ready-to-use SHA-pinned references
GitHub Actions referenced by tag (e.g., actions/checkout@v4) can be vulnerable to supply chain attacks if the tag is moved to point to malicious code. This MCP service helps you:
- Find the commit SHA for any action version
- Check if a release is immutable (protected from modification)
- Get secure references in the format
owner/repo@sha # version
- Deno 2.x or later
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"github-actions": {
"command": "deno",
"args": [
"run",
"--allow-net",
"--allow-env",
"/path/to/mcp-github-actions/main.ts"
],
"env": {
"GITHUB_TOKEN": "your-github-token-optional"
}
}
}
}claude mcp add github-actions -- deno run --allow-net --allow-env /path/to/mcp-github-actions/main.tsThe service is available as a Docker image using stdio transport.
Pull the image:
docker pull ghcr.io/tripletex/mcp-github-action:latestRun directly:
docker run --rm -i -e GITHUB_TOKEN ghcr.io/tripletex/mcp-github-action:latestClaude Desktop configuration:
{
"mcpServers": {
"github-actions": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"-e", "GITHUB_TOKEN",
"ghcr.io/tripletex/mcp-github-action:latest"
],
"env": {
"GITHUB_TOKEN": "your-github-token-optional"
}
}
}
}MCP Gateway configuration:
mcp_services:
- name: "github-actions"
alias: "github-actions"
type: "stdio"
command:
- docker
- run
- --rm
- -i
- -e
- GITHUB_TOKEN
- ghcr.io/tripletex/mcp-github-action:latest
timeout: 30Once configured, ask Claude to look up GitHub Actions:
Example prompts:
- "Look up the latest version of actions/checkout"
- "Get the secure reference for actions/setup-node@v4"
- "Check if actions/cache@v4.2.0 is immutable"
- "List all versions of actions/upload-artifact"
| Parameter | Type | Required | Description |
|---|---|---|---|
action |
string | Yes | Action reference (e.g., actions/checkout or actions/checkout@v4) |
include_all_versions |
boolean | No | List all available versions (default: false) |
Action: actions/checkout
Latest Version: v4.2.2
Commit SHA: 11bd71901bbe5b1630ceea73d27597364c9af683
Immutable: Yes
Published: 2024-10-23T14:05:06Z
Recommended Usage (SHA-pinned):
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Security Notes:
- This release is immutable - the tag and assets are protected from modification.
- SHA-pinned references prevent supply chain attacks by ensuring you always use the exact same code.
- Works for public repositories only
- Rate limit: 60 requests/hour
Set the GITHUB_TOKEN environment variable:
- Works for private repositories
- Rate limit: 5,000 requests/hour
- Required for organization private actions
For accessing private repositories across multiple organizations, configure org-specific tokens:
# Org-specific tokens (format: GITHUB_TOKEN_<ORG_NAME>)
# Hyphens in org names become underscores, all uppercase
GITHUB_TOKEN_MY_ORG=ghp_xxx... # For My-Org
GITHUB_TOKEN_OTHER_ORG=ghp_yyy... # For Other-Org
GITHUB_TOKEN=ghp_zzz... # Fallback for public reposToken resolution order:
- Org-specific token (
GITHUB_TOKEN_<ORG>) - Fallback token (
GITHUB_TOKEN) - Unauthenticated (public repos only)
Supported token types and required permissions:
| Token Type | Required Permissions | Notes |
|---|---|---|
| Fine-grained PAT | Contents: Read + Metadata: Read |
Recommended - scoped to specific repos/orgs |
| Classic PAT | repo scope |
Broader access - use only if fine-grained isn't suitable |
| GitHub App | Contents: Read |
Recommended for organizations |
Note: For private repositories, the token must have read access to repository contents. Without proper permissions, you'll receive a 404 error when looking up private actions.
Example Claude Desktop config with multi-org:
{
"mcpServers": {
"github-actions": {
"command": "deno",
"args": [
"run",
"--allow-net",
"--allow-env",
"/path/to/mcp-github-actions/main.ts"
],
"env": {
"GITHUB_TOKEN_MY_ORG": "ghs_xxx...",
"GITHUB_TOKEN_OTHER_ORG": "ghs_yyy...",
"GITHUB_TOKEN": "ghp_zzz..."
}
}
}
}# Run the server
deno task start
# Run with watch mode (auto-reload)
deno task dev
# Type check
deno task check
# Lint
deno task lint
# Format
deno task fmt
# Compile to binary
deno task compile- Always use SHA-pinned references in production workflows
- Check immutability status - immutable releases cannot be modified
- Add version comments for maintainability:
@sha # v4.2.0 - Use Dependabot/Renovate to keep SHA references updated
MIT