feat(mcpg): upgrade MCP Gateway to v0.2.14, add OpenTelemetry OTLP tracing support

[Copilot]

Bumps the default MCP Gateway (gh-aw-mcpg) from v0.2.12 → v0.2.14 and wires the gateway's optional OpenTelemetry OTLP tracing configuration from the existing observability.otlp frontmatter section, enabling distributed tracing of MCP tool calls via OTLP/HTTP per spec §4.1.3.6 (v1.11.0).

Version bump

• DefaultMCPGatewayVersion: v0.2.12 → v0.2.14
• 181 workflow lock files recompiled
• Notable upstream changes: stricter auth validation, 6h default session timeout, OTLP trace export

OpenTelemetry config (via observability.otlp)

When observability.otlp.endpoint is configured, the gateway automatically receives an opentelemetry section in its JSON config. No new frontmatter field is needed — the existing OTLP configuration is reused:

observability:
  otlp:
    endpoint: "https://collector.example.com:4318/v1/traces"  # required; HTTPS
    headers: "Authorization=******"                            # optional; key=value pairs
    traceId: "${{ vars.PARENT_TRACE_ID }}"                    # optional; 32-char hex W3C trace ID
    spanId:  "${{ vars.PARENT_SPAN_ID }}"                     # optional; 16-char hex W3C span ID

This produces the following in the gateway's JSON config:

"opentelemetry": {
  "endpoint": "https://collector.example.com:4318/v1/traces",
  "headers": { "Authorization": "******" },
  "traceId": "...",
  "spanId": "..."
}

Static endpoint hostnames are automatically added to the AWF firewall allowlist (already handled by the existing injectOTLPConfig). GitHub Actions expressions in headers are skipped at compile time.

Implementation

• frontmatter_types.go: OTLPConfig extended with TraceID and SpanID fields
• observability_otlp.go: extractOTLPConfigFromRaw now also reads traceId and spanId from the raw frontmatter map
• tools_types.go: GatewayOpenTelemetryConfig struct; OpenTelemetry field on MCPGatewayRuntimeConfig
• mcp_gateway_config.go: buildGatewayOTLPFromObservability reads endpoint, headers, traceId, and spanId from observability.otlp; parseOTLPHeadersString converts the comma-separated key=value headers string into the map the gateway JSON expects (trims whitespace from keys and values; skips expressions)
• mcp_renderer.go: renders opentelemetry JSON block in the gateway config section with deterministically sorted headers, traceId, and spanId

[pelikhan]

@copilot the opentelenetry info is taken from observability.optl.
Do not add a new front matter under mcp

[Copilot]

@copilot the opentelenetry info is taken from observability.optl.
Do not add a new front matter under mcp

Done in 978c402. The gateway's opentelemetry config is now sourced from the existing observability.otlp section instead of a new sandbox.mcp.opentelemetry field. When observability.otlp.endpoint is configured, buildGatewayOTLPFromObservability reads the endpoint and parses the key=value headers string into the map the gateway JSON expects.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ase,codename,all-C (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw fflib (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ath ../../../.pr**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ath ../../../.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility get .cfg 64/pkg/tool/linux_amd64/vet http.https://gitgit (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot the traceid and spanid need to be passed as well

[pelikhan]

@copilot headers typically come from an expression and cannot be parsed in go. They are passed in the config as is

[Copilot]

@copilot the traceid and spanid need to be passed as well

Done in 53e94cb. Added traceId and spanId to OTLPConfig, updated extractOTLPConfigFromRaw to read them, and buildGatewayOTLPFromObservability now propagates them to the GatewayOpenTelemetryConfig. The renderer already supported these fields, so they will appear in the gateway JSON config when set in observability.otlp.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD ode-gyp-bin/node-json go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE /usr/lib/systemdmcp/markitdown (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD run-script/lib/n/home/REDACTED/work/gh-aw/gh-aw/.github/workflows node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/home/REDACTED/work/gh-aw/gh-aw/.github/workflows go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)