Pass HTTP MCP server secrets to gateway container

[Copilot]

HTTP MCP server secrets (e.g., TAVILY_API_KEY) were collected from workflow frontmatter but not passed to the gateway Docker container, causing initialization failures in 6 workflows.

Root Cause

The MCP setup generator added secrets to the workflow step's env: block but omitted them from the Docker container's -e flags:

// Environment vars were collected here
mcpEnvVars := collectMCPEnvironmentVariables(tools, mcpTools, workflowData, hasAgenticWorkflows)

// But only gatewayConfig.Env was added to docker command
containerCmd += " -e " + envVarName  // Missing mcpEnvVars

Changes

pkg/workflow/mcp_setup_generator.go

• Add collected MCP environment variables to Docker container command
• Deduplicate environment variables to prevent duplicate -e flags
• Sort variable names for deterministic output

Before:

docker run ... -e GITHUB_TOKEN ... ghcr.io/githubnext/gh-aw-mcpg:v0.0.74

After:

docker run ... -e GITHUB_TOKEN ... -e TAVILY_API_KEY ... ghcr.io/githubnext/gh-aw-mcpg:v0.0.74

Tests:

• TestHTTPMCPSecretsPassedToGatewayContainer - single server case
• TestMultipleHTTPMCPSecretsPassedToGatewayContainer - multiple servers

Impact

Affects 6 workflows using shared/mcp/tavily.md: daily-news, mcp-inspector, research, scout, smoke-claude, smoke-codex.

Note: Repository secret TAVILY_API_KEY must still be added separately for workflows to succeed.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Daily News Workflow Failing: Missing TAVILY_API_KEY Secret</issue_title>
<issue_description>### Summary

The Daily News workflow has failed 10 consecutive runs (100% failure rate) due to a missing repository secret.

Status: 🚨 CRITICAL - Fix available and actionable
Last Success: Run #98 (2026-01-08)
Failure Duration: 10+ days
Affected Workflows: 6 total (daily-news, mcp-inspector, research, scout, smoke-claude, smoke-codex)

Root Cause

Missing TAVILY_API_KEY repository secret

The Daily News workflow includes the shared MCP server configuration shared/mcp/tavily.md, which requires:

mcp-servers:
  tavily:
    type: http
    url: "https://mcp.tavily.com/mcp/"
    headers:
      Authorization: "Bearer ${{ secrets.TAVILY_API_KEY }}"
    allowed: ["*"]

Error Evidence:

• Step 31 "Start MCP gateway" consistently fails
• Previous logs (Run MCP Network Permissions Test Results - Domain Restrictions Validation #107) showed: "undefined environment variable referenced: TAVILY_API_KEY"
• Workflow run fails before agent execution begins

Impact

Primary Impact: Daily News workflow cannot generate daily repository digests

Secondary Impact: 5 additional workflows potentially affected:

1. mcp-inspector.md
2. research.md
3. scout.md
4. smoke-claude.md
5. smoke-codex.md

All 6 workflows include shared/mcp/tavily.md and require the same secret.

Solution (RECOMMENDED): Add Repository Secret

Timeline: 5-10 minutes
Complexity: Low

Steps:

1. Navigate to Repository Settings → Secrets → Actions
2. Click "New repository secret"
3. Name: TAVILY_API_KEY
4. Value: [Valid Tavily API key]
5. Click "Add secret"

Expected Outcome:

• Next scheduled Daily News run (tomorrow 9am UTC) should succeed
• All 6 Tavily-dependent workflows should auto-recover

Alternative Solutions

Option 2: Remove Tavily Dependency (15-20 minutes)

If Tavily API access is not available:

1. Edit .github/workflows/daily-news.md and remove the Tavily import line
2. Update the workflow prompt to remove Tavily-specific instructions
3. Recompile workflow: make recompile
4. Apply same changes to other 5 affected workflows

Trade-off: Loses Tavily search capabilities, but workflow becomes operational

Option 3: Deprecate Workflow (5 minutes)

If Daily News is no longer needed:

1. Disable the workflow in GitHub Actions settings
2. Remove from scheduled runs
3. Document deprecation decision

Trade-off: User-facing daily digest feature lost

Verification Plan

After adding the secret:

1. Immediate: Trigger manual run via workflow_dispatch

   • Go to Actions → Daily News
   • Click "Run workflow" button
   • Verify Step 31 "Start MCP gateway" succeeds

2. Next Day: Monitor scheduled run (9am UTC)

   • Check run completes successfully
   • Verify discussion is created in daily-news category

3. Follow-up: Check status of other 5 Tavily-dependent workflows

   • Query recent runs for mcp-inspector, research, scout, smoke-claude, smoke-codex
   • Verify they're not experiencing the same failure

Recent Run History

Run #	Date	Status	Duration
#109	2026-01-21	❌ Failure	1m 33s
#108	2026-01-20	❌ Failure	1m 32s
#107	2026-01-19	❌ Failure	1m 35s
#106	2026-01-16	❌ Failure	1m 34s
#105	2026-01-16	❌ Failure	1m 33s
#104	2026-01-16	❌ Failure	1m 32s
#103	2026-01-15	❌ Failure	1m 31s
#102	2026-01-14	❌ Failure	1m 34s
#101	2026-01-13	❌ Failure	1m 33s
#100	2026-01-12	❌ Failure	1m 32s

Pattern: Consistent failure at MCP gateway initialization (Step 31), rapid failure (~90s), no agent execution.

Context

• Detected By: Workflow Health Manager meta-orchestrator
• Analysis Run: §21234278799
• Overall Workflow Health: 90/100 (this is the only critical issue)
• Related Recovery: Meta-orchestrators (Agent Performance Analyzer...

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

• Fixes Daily News Workflow Failing: Missing TAVILY_API_KEY Secret #11152

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.