Add network access to agentic-workflows MCP server container

pkg/workflow/importable_tools_test.go

@@ -264,8 +264,8 @@ Uses imported agentic-workflows tool.
 	}
 
 	// Verify working directory args are present
-	if !strings.Contains(workflowData, `"args": ["-w", "${{ github.workspace }}"]`) {
-		t.Error("Expected args with working directory")
+	if !strings.Contains(workflowData, `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) {
+		t.Error("Expected args with network access and working directory")
 	}
 }
 

pkg/workflow/mcp_config_builtin.go

@@ -26,10 +26,11 @@
 //
 // 2. Agentic-workflows MCP server:
 //   - Transport: stdio (runs in Docker container)
-//   - Container: Alpine Linux with gh-aw binary mounted
-//   - Entrypoint: /opt/gh-aw/gh-aw mcp-server
-//   - Purpose: Enables workflow compilation, validation, and execution
-//   - Tools: compile, validate, list, status, run, etc.
+//   - Container: Alpine Linux with gh-aw binary mounted (or localhost/gh-aw:dev in dev mode)
+//   - Entrypoint: /opt/gh-aw/gh-aw mcp-server (release mode) or container default (dev mode)
+//   - Network: Enabled via --network host for GitHub API access (api.github.com)
+//   - Purpose: Enables workflow compilation, validation, and execution via gh aw CLI
+//   - Tools: compile, validate, list, status, audit, logs, add, update, fix
 //
 // HTTP vs stdio transport:
 // - HTTP: Server runs on host, accessible via HTTP URL with authentication
@@ -57,10 +58,12 @@
 //
 // Agentic-workflows configuration:
 // Agentic-workflows runs in a stdio container and requires:
-//   - Mounted gh-aw binary from /opt/gh-aw
+//   - Mounted gh-aw binary from /opt/gh-aw (release mode) or baked into image (dev mode)
+//   - Mounted gh CLI binary for GitHub API access (release mode) or baked into image (dev mode)
 //   - Mounted workspace for workflow files
 //   - Mounted temp directory for logs
 //   - GITHUB_TOKEN for GitHub API access
+//   - Network access enabled via --network host for api.github.com
 //
 // Related files:
 //   - mcp_renderer.go: Main renderer that calls these functions
@@ -226,9 +229,10 @@ func renderAgenticWorkflowsMCPConfigWithOptions(yaml *strings.Builder, isLast bo
 	}
 	yaml.WriteString("],\n")
 
-	// Add Docker runtime args to set working directory to workspace
-	// This ensures .github/workflows folder resolves correctly to workspace/.github/workflows
-	yaml.WriteString("                \"args\": [\"-w\", \"${{ github.workspace }}\"],\n")
+	// Add Docker runtime args:
+	// - --network host: Enables network access for GitHub API calls (gh CLI needs api.github.com)
+	// - -w: Sets working directory to workspace for .github/workflows folder resolution
+	yaml.WriteString("                \"args\": [\"--network\", \"host\", \"-w\", \"${{ github.workspace }}\"],\n")
 
 	// Note: tools field is NOT included here - the converter script adds it back
 	// for Copilot. This keeps the gateway config compatible with the schema.
@@ -334,9 +338,10 @@ func renderAgenticWorkflowsMCPConfigTOML(yaml *strings.Builder, actionMode Actio
 	}
 	yaml.WriteString("]\n")
 
-	// Add Docker runtime args to set working directory to workspace
-	// This ensures .github/workflows folder resolves correctly to workspace/.github/workflows
-	yaml.WriteString("          args = [\"-w\", \"${{ github.workspace }}\"]\n")
+	// Add Docker runtime args:
+	// - --network host: Enables network access for GitHub API calls (gh CLI needs api.github.com)
+	// - -w: Sets working directory to workspace for .github/workflows folder resolution
+	yaml.WriteString("          args = [\"--network\", \"host\", \"-w\", \"${{ github.workspace }}\"]\n")
 
 	// Use env_vars array to reference environment variables instead of embedding secrets
 	yaml.WriteString("          env_vars = [\"DEBUG\", \"GITHUB_TOKEN\"]\n")

pkg/workflow/mcp_config_compilation_test.go

@@ -325,8 +325,8 @@ This workflow tests that agentic-workflows uses the correct container in dev mod
 				}
 
 				// Verify working directory args are present
-				if !strings.Contains(string(lockContent), `"args": ["-w", "${{ github.workspace }}"]`) {
-					t.Error("Expected args with working directory in dev mode")
+				if !strings.Contains(string(lockContent), `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) {
+					t.Error("Expected args with network access and working directory in dev mode")
 				}
 			}
 		})

pkg/workflow/mcp_config_refactor_test.go

@@ -105,11 +105,11 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) {
 			expectedContent: []string{
 				`"agenticworkflows": {`,
 				`"type": "stdio"`,
-				`"container": "localhost/gh-aw:dev"`,                   // Dev mode uses locally built image
-				`"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write)
-				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                           // temp directory mount (read-write)
-				`"args": ["-w", "${{ github.workspace }}"]`,            // Docker working directory
-				`"DEBUG": "*"`,                                         // Literal value for debug logging
+				`"container": "localhost/gh-aw:dev"`,                             // Dev mode uses locally built image
+				`"${{ github.workspace }}:${{ github.workspace }}:rw"`,           // workspace mount (read-write)
+				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                                     // temp directory mount (read-write)
+				`"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory
+				`"DEBUG": "*"`,                                                   // Literal value for debug logging
 				`"GITHUB_TOKEN": "\${GITHUB_TOKEN}"`,
 				`              },`,
 			},
@@ -134,11 +134,11 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) {
 				`"container": "alpine:latest"`,
 				`"entrypoint": "/opt/gh-aw/gh-aw"`,
 				`"entrypointArgs": ["mcp-server"]`,
-				`"/opt/gh-aw:/opt/gh-aw:ro"`,                           // gh-aw binary mount (read-only)
-				`"/usr/bin/gh:/usr/bin/gh:ro"`,                         // gh CLI binary mount (read-only)
-				`"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write)
-				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                           // temp directory mount (read-write)
-				`"args": ["-w", "${{ github.workspace }}"]`,            // Docker working directory
+				`"/opt/gh-aw:/opt/gh-aw:ro"`,                                     // gh-aw binary mount (read-only)
+				`"/usr/bin/gh:/usr/bin/gh:ro"`,                                   // gh CLI binary mount (read-only)
+				`"${{ github.workspace }}:${{ github.workspace }}:rw"`,           // workspace mount (read-write)
+				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                                     // temp directory mount (read-write)
+				`"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory
 				`"DEBUG": "*"`,
 				`"GITHUB_TOKEN": "\${GITHUB_TOKEN}"`,
 				`              },`,
@@ -156,10 +156,10 @@ func TestRenderAgenticWorkflowsMCPConfigWithOptions(t *testing.T) {
 			actionMode:           ActionModeDev,
 			expectedContent: []string{
 				`"agenticworkflows": {`,
-				`"container": "localhost/gh-aw:dev"`,                   // Dev mode uses locally built image
-				`"${{ github.workspace }}:${{ github.workspace }}:rw"`, // workspace mount (read-write)
-				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                           // temp directory mount (read-write)
-				`"args": ["-w", "${{ github.workspace }}"]`,            // Docker working directory
+				`"container": "localhost/gh-aw:dev"`,                             // Dev mode uses locally built image
+				`"${{ github.workspace }}:${{ github.workspace }}:rw"`,           // workspace mount (read-write)
+				`"/tmp/gh-aw:/tmp/gh-aw:rw"`,                                     // temp directory mount (read-write)
+				`"args": ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory
 				// Environment variables
 				`"DEBUG": "*"`, // Literal value for debug logging
 				`"GITHUB_TOKEN": "$GITHUB_TOKEN"`,
@@ -302,7 +302,7 @@ func TestRenderAgenticWorkflowsMCPConfigTOML(t *testing.T) {
 			expectedContent := []string{
 				`[mcp_servers.agenticworkflows]`,
 				tt.expectedContainer,
-				`args = ["-w", "${{ github.workspace }}"]`, // Docker working directory
+				`args = ["--network", "host", "-w", "${{ github.workspace }}"]`, // Network access + working directory
 				`env_vars = ["DEBUG", "GITHUB_TOKEN"]`,
 			}
 			expectedContent = append(expectedContent, tt.expectedMounts...)

pkg/workflow/mcp_renderer_test.go

@@ -213,9 +213,9 @@ func TestRenderAgenticWorkflowsMCP_JSON_Copilot(t *testing.T) {
 	if !strings.Contains(output, `"GITHUB_TOKEN"`) {
 		t.Error("Expected GITHUB_TOKEN in env vars")
 	}
-	// Should have working directory args
-	if !strings.Contains(output, `"args": ["-w", "${{ github.workspace }}"]`) {
-		t.Error("Expected args with working directory set to workspace")
+	// Should have network access and working directory args
+	if !strings.Contains(output, `"args": ["--network", "host", "-w", "${{ github.workspace }}"]`) {
+		t.Error("Expected args with network access and working directory set to workspace")
 	}
 }