OpenSRE connects to GitHub via the GitHub MCP server to search code, browse recent commits, inspect files, and trace changes correlated with alerts — helping identify which deployment or code change triggered an incident.
First launch (macOS & Windows)
The first time you launch the interactive shell on macOS or Windows, OpenSRE asks
you to sign in to GitHub in your browser before the prompt appears. This runs the
same browser device-flow sign-in as Option 1 below, then connects GitHub
automatically. Sign in once and OpenSRE remembers it for future launches.
You can bypass this step — for example if GitHub sign-in is unavailable:
OPENSRE_SKIP_GITHUB_LOGIN=1 opensre
Prerequisites
- GitHub account with repository access
- One of: browser sign-in (recommended), a personal access token, or GitHub Copilot MCP access
Setup
Option 1: Interactive CLI (browser sign-in)
opensre integrations setup
OPENSRE_GITHUB_OAUTH_CLIENT_ID if you register your own app.
If you prefer, the same prompt lets you paste a token (PAT) instead.
Option 2: Environment variables
GITHUB_MCP_AUTH_TOKEN=ghp_your_personal_access_token
GITHUB_MCP_URL=https://api.githubcopilot.com/mcp/ # default
GITHUB_MCP_MODE=streamable-http # default
GITHUB_MCP_TOOLSETS=repos,issues,pull_requests,actions # default
| Variable | Default | Description |
|---|
GITHUB_MCP_AUTH_TOKEN | — | GitHub personal access token. Required unless you authorize in the browser (Option 1) |
GITHUB_MCP_URL | https://api.githubcopilot.com/mcp/ | GitHub MCP server URL |
GITHUB_MCP_MODE | streamable-http | Transport mode: streamable-http, sse, or stdio |
GITHUB_MCP_TOOLSETS | repos,issues,pull_requests,actions | Comma-separated toolsets to enable |
GITHUB_MCP_COMMAND | — | Command to run (required for stdio mode only) |
GITHUB_MCP_ARGS | — | Space-separated args for stdio mode |
OPENSRE_GITHUB_OAUTH_CLIENT_ID | (built-in) | OAuth App client id for browser sign-in (device flow). Override to use your own app |
Option 3: Persistent store
{
"version": 1,
"integrations": [
{
"id": "github-prod",
"service": "github",
"status": "active",
"credentials": {
"url": "https://api.githubcopilot.com/mcp/",
"mode": "streamable-http",
"auth_token": "ghp_your_token",
"toolsets": ["repos", "issues", "pull_requests", "actions"]
}
}
]
}
Creating a personal access token
- In GitHub, go to Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click Generate new token
- Select the following scopes:
repo, read:org
- Copy the token
For GitHub Enterprise Server, set GITHUB_MCP_URL to your enterprise MCP endpoint.
Transport modes
| Mode | When to use |
|---|
streamable-http | Default. Works with GitHub Copilot MCP and most hosted instances |
sse | For older MCP servers using Server-Sent Events |
stdio | For running a local MCP server process (npx @modelcontextprotocol/server-github) |
Verify
opensre integrations verify github
Service: github
Status: passed
Detail: GitHub MCP validated for your-username; discovered 18 tools including repository source investigation helpers
Troubleshooting
| Symptom | Fix |
|---|
| Authentication failed | Check that the token has repo scope and is not expired |
| Required tools missing | Ensure toolsets include repos — it provides get_file_contents, list_commits, etc. |
| Connection refused | Verify GITHUB_MCP_URL is reachable and the MCP server is running |
| Browser sign-in unavailable | Set OPENSRE_GITHUB_OAUTH_CLIENT_ID to a device-flow-enabled OAuth App, or fall back to pasting a PAT |
| First-launch sign-in is blocking me | Set OPENSRE_SKIP_GITHUB_LOGIN=1 to bypass the first-launch GitHub prompt |
Security best practices
- Use a fine-grained personal access token with read-only repository access.
- Limit token scope to the repositories OpenSRE needs to inspect.
- Store the token in
.env, not in source code.
Tracer