[awf] docker-manager: OIDC env vars `ACTIONS_ID_TOKEN_REQUEST_URL` / `ACTIONS_ID_TOKEN_REQUEST_TOKEN` not forwarded into agent c [Content truncated due to length]

[lpcox]

Problem

When a workflow uses an HTTP MCP server with auth: { type: github-oidc }, the MCP gateway (running inside the AWF agent container) needs ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN to be present in its environment to mint GitHub OIDC tokens. Because AWF's Docker environment injection in src/docker-manager.ts does not explicitly forward these two GitHub Actions OIDC variables, they are absent inside the container even though they are set on the Actions runner host.

The gateway then fails at startup with:

[ERROR] Server "my-server" requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set.
        OIDC auth is only available when running in GitHub Actions with `permissions: { id-token: write }`

Context

Upstream issue: github/gh-aw#25224

The gh-aw compiler (mcp_setup_generator.go) is being fixed to include these vars in the docker run command it generates for the MCP gateway. However, the AWF firewall also controls which host environment variables reach the agent container, so both layers must be addressed.

Root Cause

In src/docker-manager.ts, the generateDockerCompose() function builds the explicit environment map for the agent container. The GitHub Actions OIDC variables (ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN) are not included in the base/framework env vars, nor are they picked up by --env-all unless that flag is explicitly passed.

Relevant code paths:

• src/docker-manager.ts — generateDockerCompose() / buildAgentEnv(): controls which host env vars are injected
• src/types.ts — WrapperConfig interface: defines known env var keys
• src/cli.ts — argument parsing: --env-all flag allows all host vars through, but that's opt-in and broad

When --env-all is not used, only an explicit allowlist of env vars is forwarded. Since ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are not on that list, OIDC-based MCP authentication fails silently.

Proposed Solution

Add ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN to the set of GitHub Actions environment variables that AWF automatically forwards into the agent container when they are present on the host.

Concretely, in src/docker-manager.ts within the section that builds the agent's env map (alongside other GITHUB_* vars that are already forwarded), add:

// GitHub Actions OIDC — required for MCP servers with auth.type: 'github-oidc'
if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
  env['ACTIONS_ID_TOKEN_REQUEST_URL'] = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
}
if (process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN) {
  env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
}

This is safe: the vars are only forwarded when present (i.e., when running inside GitHub Actions), and they are scoped to the current job's OIDC context. No changes to the domain allowlist or iptables rules are required — OIDC token requests go to token.actions.githubusercontent.com which should already be in the domain allowlist for workflows that use OIDC.

If domain-allowlist enforcement is also needed, document that callers must include token.actions.githubusercontent.com in --allow-domains when using OIDC-authenticated MCP servers.

Generated by Firewall Issue Dispatcher · ● 705.4K · ◷