From d03f14a5348b45fa34d2594aa48391109e547ff1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 20:13:33 +0000
Subject: [PATCH 1/3] Initial plan


From 10e33efcf0f0cb2553c18f0c925998fac0626d1e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 20:30:55 +0000
Subject: [PATCH 2/3] fix: add auth field to http_mcp_tool schema definition
 (#23611 follow-up)

The auth field for GitHub Actions OIDC authentication on HTTP MCP servers
was implemented in Go code and the MCP Gateway schema but was missing from
the frontmatter validation schema (main_workflow_schema.json), causing the
compiler to reject workflows with auth fields.

Adds auth to the http_mcp_tool definition in main_workflow_schema.json,
matching the schema already present in mcp-gateway-config.schema.json.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a0a67c3-4724-4499-85b7-cb7863ba8444

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/parser/schemas/main_workflow_schema.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
index 09794f5d5d..f312a3ae3b 100644
--- a/pkg/parser/schemas/main_workflow_schema.json
+++ b/pkg/parser/schemas/main_workflow_schema.json
@@ -9657,6 +9657,24 @@
             "type": "string"
           },
           "examples": [["*"], ["store_memory", "retrieve_memory"], ["brave_web_search"]]
+        },
+        "auth": {
+          "type": "object",
+          "description": "Upstream authentication configuration for the HTTP MCP server. When configured, the gateway dynamically acquires tokens and injects them as Authorization headers on every outgoing request to this server. Currently only GitHub Actions OIDC is supported.",
+          "properties": {
+            "type": {
+              "type": "string",
+              "enum": ["github-oidc"],
+              "description": "Authentication type. Currently only 'github-oidc' is supported, which acquires short-lived JWTs from the GitHub Actions OIDC endpoint."
+            },
+            "audience": {
+              "type": "string",
+              "description": "The intended audience for the OIDC token (the 'aud' claim). If omitted, defaults to the server's url field.",
+              "format": "uri"
+            }
+          },
+          "required": ["type"],
+          "additionalProperties": false
         }
       },
       "required": ["url"],

From 02af79fbe34956b03f6ee6ddf9017537874945af Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 21:05:48 +0000
Subject: [PATCH 3/3] refactor: extract http_mcp_auth as reusable $defs type in
 schema

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a8d88dc5-e58c-45d4-826c-31aa5c6244a4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/parser/schemas/main_workflow_schema.json | 35 +++++++++++---------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
index f312a3ae3b..66026536a3 100644
--- a/pkg/parser/schemas/main_workflow_schema.json
+++ b/pkg/parser/schemas/main_workflow_schema.json
@@ -9659,27 +9659,30 @@
           "examples": [["*"], ["store_memory", "retrieve_memory"], ["brave_web_search"]]
         },
         "auth": {
-          "type": "object",
-          "description": "Upstream authentication configuration for the HTTP MCP server. When configured, the gateway dynamically acquires tokens and injects them as Authorization headers on every outgoing request to this server. Currently only GitHub Actions OIDC is supported.",
-          "properties": {
-            "type": {
-              "type": "string",
-              "enum": ["github-oidc"],
-              "description": "Authentication type. Currently only 'github-oidc' is supported, which acquires short-lived JWTs from the GitHub Actions OIDC endpoint."
-            },
-            "audience": {
-              "type": "string",
-              "description": "The intended audience for the OIDC token (the 'aud' claim). If omitted, defaults to the server's url field.",
-              "format": "uri"
-            }
-          },
-          "required": ["type"],
-          "additionalProperties": false
+          "$ref": "#/$defs/http_mcp_auth"
         }
       },
       "required": ["url"],
       "additionalProperties": false
     },
+    "http_mcp_auth": {
+      "type": "object",
+      "description": "Upstream authentication configuration for the HTTP MCP server. When configured, the gateway dynamically acquires tokens and injects them as Authorization headers on every outgoing request to this server. Currently only GitHub Actions OIDC is supported.",
+      "properties": {
+        "type": {
+          "type": "string",
+          "enum": ["github-oidc"],
+          "description": "Authentication type. Currently only 'github-oidc' is supported, which acquires short-lived JWTs from the GitHub Actions OIDC endpoint."
+        },
+        "audience": {
+          "type": "string",
+          "description": "The intended audience for the OIDC token (the 'aud' claim). If omitted, defaults to the server's url field.",
+          "format": "uri"
+        }
+      },
+      "required": ["type"],
+      "additionalProperties": false
+    },
     "github_token": {
       "type": "string",
       "pattern": "^\\$\\{\\{\\s*(secrets\\.[A-Za-z_][A-Za-z0-9_]*(\\s*\\|\\|\\s*secrets\\.[A-Za-z_][A-Za-z0-9_]*)*|needs\\.[A-Za-z_][A-Za-z0-9_]*\\.outputs\\.[A-Za-z_][A-Za-z0-9_]*)\\s*\\}\\}$",