fix(http): make --read-only flag work in HTTP mode

The --read-only flag and GITHUB_READ_ONLY environment variable were
being completely ignored in HTTP mode, causing write tools like
create_branch, create_pull_request, and merge_pull_request to remain
accessible and functional even when read-only mode was requested.

This fix:
- Adds ReadOnly field to ServerConfig struct
- Passes the --read-only flag from main.go to HTTP config
- Creates withGlobalReadonly middleware to enforce readonly mode globally
- Adds test coverage for the global readonly configuration

Issue #2156

Author: furkankoykiran

cmd/github-mcp-server/main.go

@@ -119,6 +119,7 @@ var (
 				LockdownMode:         viper.GetBool("lockdown-mode"),
 				RepoAccessCacheTTL:   &ttl,
 				ScopeChallenge:       viper.GetBool("scope-challenge"),
+				ReadOnly:             viper.GetBool("read-only"),
 			}
 
 			return ghhttp.RunHTTPServer(httpConfig)

pkg/http/handler_test.go

@@ -409,3 +409,51 @@ func TestHTTPHandlerRoutes(t *testing.T) {
 		})
 	}
 }
+
+func TestWithGlobalReadonly(t *testing.T) {
+	tests := []struct {
+		name           string
+		readonly       bool
+		expectReadonly bool
+	}{
+		{
+			name:           "readonly config enables readonly mode",
+			readonly:       true,
+			expectReadonly: true,
+		},
+		{
+			name:           "non-readonly config leaves readonly disabled",
+			readonly:       false,
+			expectReadonly: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := &ServerConfig{
+				Version:  "test",
+				ReadOnly: tt.readonly,
+			}
+
+			middleware := withGlobalReadonly(cfg)
+
+			// Create a handler that will check the context
+			var contextReadonly bool
+			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				contextReadonly = ghcontext.IsReadonly(r.Context())
+				w.WriteHeader(http.StatusOK)
+			})
+
+			// Apply middleware
+			handler := middleware(next)
+
+			// Create request and execute
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			rr := httptest.NewRecorder()
+			handler.ServeHTTP(rr, req)
+
+			// Verify the readonly state matches the config
+			assert.Equal(t, tt.expectReadonly, contextReadonly, "readonly context should match config")
+		})
+	}
+}

pkg/http/server.go

@@ -67,6 +67,9 @@ type ServerConfig struct {
 	// ScopeChallenge indicates if we should return OAuth scope challenges, and if we should perform
 	// tool filtering based on token scopes.
 	ScopeChallenge bool
+
+	// ReadOnly indicates if the server should run in read-only mode globally
+	ReadOnly bool
 }
 
 func RunHTTPServer(cfg ServerConfig) error {
@@ -145,6 +148,9 @@ func RunHTTPServer(cfg ServerConfig) error {
 		// Register Middleware First, needs to be before route registration
 		handler.RegisterMiddleware(r)
 
+		// Apply global readonly setting from server config
+		r.Use(withGlobalReadonly(&cfg))
+
 		// Register MCP server routes
 		handler.RegisterRoutes(r)
 	})
@@ -219,3 +225,17 @@ func createHTTPFeatureChecker() inventory.FeatureFlagChecker {
 		return false, nil
 	}
 }
+
+// withGlobalReadonly is middleware that applies the server's global readonly setting
+func withGlobalReadonly(cfg *ServerConfig) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if cfg.ReadOnly {
+				ctx := ghcontext.WithReadonly(r.Context(), true)
+				next.ServeHTTP(w, r.WithContext(ctx))
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		})
+	}
+}