mcp-gitlab-crunchtools 0.1.0__tar.gz

mcp_gitlab_crunchtools-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run linter
+        run: uv run ruff check src tests
+
+      - name: Run type checker
+        run: uv run mypy src
+
+      - name: Run tests
+        run: uv run pytest -v
+        env:
+          GITLAB_TOKEN: "test_token_for_ci"
+
+  build-container:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build container image
+        run: |
+          docker build -f Containerfile -t mcp-gitlab:test .
+
+      - name: Verify container
+        run: |
+          # Just verify it starts (will fail due to no token, but should start)
+          timeout 5 docker run --rm mcp-gitlab:test || true

mcp_gitlab_crunchtools-0.1.0/.github/workflows/container.yml

@@ -0,0 +1,67 @@
+name: Container Build & Push
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  REGISTRY: quay.io
+  IMAGE_NAME: crunchtools/mcp-gitlab
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Quay.io
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push container image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Containerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run Trivy vulnerability scanner
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          format: "table"
+          exit-code: "0"
+          severity: "CRITICAL,HIGH"

mcp_gitlab_crunchtools-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,29 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for trusted publishing
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Build package
+        run: uv build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

mcp_gitlab_crunchtools-0.1.0/.github/workflows/security.yml

@@ -0,0 +1,140 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run every Monday at 9 AM UTC
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  security-events: write
+
+jobs:
+  dependency-audit:
+    name: Dependency CVE Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Install pip-audit
+        run: uv pip install pip-audit
+
+      - name: Run pip-audit
+        id: audit
+        continue-on-error: true
+        run: |
+          uv run pip-audit --format=json --output=audit-results.json || true
+          uv run pip-audit --format=markdown --output=audit-results.md || true
+
+          # Check if there are vulnerabilities
+          if [ -f audit-results.json ]; then
+            VULN_COUNT=$(cat audit-results.json | python -c "import sys,json; data=json.load(sys.stdin); print(len([d for d in data if d.get('vulns', [])]))" 2>/dev/null || echo "0")
+            echo "vuln_count=$VULN_COUNT" >> $GITHUB_OUTPUT
+          else
+            echo "vuln_count=0" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload audit results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit-results
+          path: |
+            audit-results.json
+            audit-results.md
+          retention-days: 30
+
+      - name: Create issue for vulnerabilities
+        if: steps.audit.outputs.vuln_count != '0' && github.event_name == 'schedule'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let body = '## Security Vulnerabilities Detected\n\n';
+            body += 'The weekly security scan found vulnerabilities in project dependencies.\n\n';
+
+            if (fs.existsSync('audit-results.md')) {
+              body += fs.readFileSync('audit-results.md', 'utf8');
+            }
+
+            body += '\n\n### Action Required\n';
+            body += '1. Review the vulnerabilities listed above\n';
+            body += '2. Update affected dependencies\n';
+            body += '3. Run `uv sync` and test\n';
+            body += '4. Create a PR with the fixes\n';
+
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `Security Alert: CVEs found in dependencies (${new Date().toISOString().split('T')[0]})`,
+              body: body,
+              labels: ['security', 'dependencies']
+            });
+
+      - name: Fail on vulnerabilities (PRs only)
+        if: steps.audit.outputs.vuln_count != '0' && github.event_name == 'pull_request'
+        run: |
+          echo "::error::Security vulnerabilities found in dependencies. See audit results."
+          exit 1
+
+  container-scan:
+    name: Container Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build container image
+        run: |
+          docker build -f Containerfile -t mcp-gitlab:scan .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "mcp-gitlab:scan"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          queries: security-extended
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"

mcp_gitlab_crunchtools-0.1.0/.gitignore

@@ -0,0 +1,90 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# ruff
+.ruff_cache/
+
+# uv
+.uv/
+uv.lock
+
+# Local development
+.envrc
+.direnv/
+
+# OS files
+.DS_Store
+Thumbs.db

mcp_gitlab_crunchtools-0.1.0/CLAUDE.md

@@ -0,0 +1,153 @@
+# Claude Code Instructions
+
+This is a secure MCP server for GitLab projects, merge requests, issues, pipelines, and search. Works with any GitLab instance (gitlab.com, self-hosted, or enterprise).
+
+## Quick Start
+
+### Option 1: Using uvx (Recommended)
+
+```bash
+claude mcp add mcp-gitlab-crunchtools \
+    --env GITLAB_TOKEN=your_token_here \
+    -- uvx mcp-gitlab-crunchtools
+```
+
+### Option 2: Using Container
+
+```bash
+claude mcp add mcp-gitlab-crunchtools \
+    --env GITLAB_TOKEN=your_token_here \
+    -- podman run -i --rm -e GITLAB_TOKEN quay.io/crunchtools/mcp-gitlab
+```
+
+### Option 3: Self-Hosted GitLab
+
+```bash
+claude mcp add mcp-gitlab-crunchtools \
+    --env GITLAB_TOKEN=your_token_here \
+    --env GITLAB_URL=https://gitlab.example.com \
+    -- uvx mcp-gitlab-crunchtools
+```
+
+### Option 4: Local Development
+
+```bash
+cd ~/Projects/crunchtools/mcp-gitlab
+claude mcp add mcp-gitlab-crunchtools \
+    --env GITLAB_TOKEN=your_token_here \
+    -- uv run mcp-gitlab-crunchtools
+```
+
+## Creating a GitLab Personal Access Token
+
+### Step-by-Step Instructions
+
+1. **Log in to your GitLab instance**
+   - Go to https://gitlab.com (or your self-hosted URL)
+   - Sign in with your account
+
+2. **Navigate to Access Tokens**
+   - Click your avatar (top left)
+   - Select "Preferences"
+   - Click "Access Tokens" in the left sidebar
+   - Or go directly to: https://gitlab.com/-/user_settings/personal_access_tokens
+
+3. **Create a new token**
+   - **Token name**: `mcp-gitlab-crunchtools`
+   - **Expiration date**: Set an appropriate expiry (recommended: 90 days)
+   - **Scopes**: Select the scopes you need (see below)
+
+4. **Copy Your Token**
+   - **IMPORTANT: Copy the token immediately!**
+   - The token starts with `glpat-` and is only shown once
+   - Store it securely (password manager recommended)
+
+### Scope Selection
+
+#### Read-Only (safest)
+- `read_api` — Read access to projects, issues, MRs, pipelines
+
+#### Full Management (all MCP server features)
+- `api` — Full API access for creating/updating issues, MRs, and notes
+
+### Security Best Practices
+
+- **Principle of least privilege**: Use `read_api` if you only need to read
+- **Set expiration**: Always set an expiry date on tokens
+- **Rotate regularly**: Create new tokens periodically and revoke old ones
+- **Never commit tokens**: Don't put tokens in code or config files in git
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `GITLAB_TOKEN` | Yes | — | Personal Access Token (starts with `glpat-`) |
+| `GITLAB_URL` | No | `https://gitlab.com` | GitLab instance URL |
+
+## Available Tools (27 tools)
+
+### Project Management (5 tools)
+- `list_projects` - List projects with filtering and search
+- `get_project` - Get project details by ID or path
+- `list_project_branches` - List repository branches
+- `get_project_branch` - Get a single branch
+- `list_project_commits` - List commits with date/path filtering
+
+### Group Management (3 tools)
+- `list_groups` - List groups with filtering
+- `get_group` - Get group details by ID or path
+- `list_group_projects` - List projects in a group (with subgroup support)
+
+### Merge Requests (7 tools)
+- `list_merge_requests` - List MRs by state, labels, milestone
+- `get_merge_request` - Get MR details
+- `create_merge_request` - Create a new MR
+- `update_merge_request` - Update MR title, description, state, assignees
+- `list_mr_notes` - List comments on an MR
+- `create_mr_note` - Add a comment to an MR
+- `get_mr_changes` - Get the diff for an MR
+
+### Issues (6 tools)
+- `list_issues` - List issues by state, labels, milestone, assignee
+- `get_issue` - Get issue details
+- `create_issue` - Create a new issue
+- `update_issue` - Update issue title, description, state, labels
+- `list_issue_notes` - List comments on an issue
+- `create_issue_note` - Add a comment to an issue
+
+### Pipelines (4 tools)
+- `list_pipelines` - List CI/CD pipelines with status filtering
+- `get_pipeline` - Get pipeline details
+- `list_pipeline_jobs` - List jobs in a pipeline
+- `get_job_log` - Get job log output
+
+### Search (2 tools)
+- `search_global` - Search across all accessible GitLab resources
+- `search_project` - Search within a specific project
+
+## Example Usage
+
+```
+User: List my GitLab projects
+User: Show open merge requests for group/project
+User: Create an issue in my-org/backend titled "Fix login timeout"
+User: Get the diff for MR !42 in my-org/frontend
+User: Show failed pipelines for my-org/api
+User: Search for "authentication" in project my-org/backend
+```
+
+## Development
+
+```bash
+# Install dependencies
+uv sync --all-extras
+
+# Run tests
+uv run pytest
+
+# Lint
+uv run ruff check src tests
+
+# Type check
+uv run mypy src
+```

mcp_gitlab_crunchtools-0.1.0/Containerfile

@@ -0,0 +1,44 @@
+# MCP GitLab CrunchTools Container
+# Built on Hummingbird Python image (Red Hat UBI-based) for enterprise security
+#
+# Build:
+#   podman build -t quay.io/crunchtools/mcp-gitlab .
+#
+# Run:
+#   podman run -e GITLAB_TOKEN=your_token quay.io/crunchtools/mcp-gitlab
+#
+# With Claude Code:
+#   claude mcp add mcp-gitlab-crunchtools \
+#     --env GITLAB_TOKEN=your_token \
+#     -- podman run -i --rm -e GITLAB_TOKEN quay.io/crunchtools/mcp-gitlab
+
+# Use Hummingbird Python image (Red Hat UBI-based with Python pre-installed)
+FROM quay.io/hummingbird/python:latest
+
+# Labels for container metadata
+LABEL name="mcp-gitlab-crunchtools" \
+      version="0.1.0" \
+      summary="Secure MCP server for GitLab projects, merge requests, issues, and pipelines" \
+      description="A security-focused MCP server for GitLab built on Red Hat UBI" \
+      maintainer="crunchtools.com" \
+      url="https://github.com/crunchtools/mcp-gitlab" \
+      io.k8s.display-name="MCP GitLab CrunchTools" \
+      io.openshift.tags="mcp,gitlab,devops"
+
+# Set working directory
+WORKDIR /app
+
+# Copy project files
+COPY pyproject.toml README.md ./
+COPY src/ ./src/
+
+# Install the package and dependencies
+RUN pip install --no-cache-dir .
+
+# Verify installation
+RUN python -c "from mcp_gitlab_crunchtools import main; print('Installation verified')"
+
+# Default: stdio transport (use -i with podman run)
+# HTTP:    --transport streamable-http (use -d -p 8015:8015 with podman run)
+EXPOSE 8015
+ENTRYPOINT ["python", "-m", "mcp_gitlab_crunchtools"]