How to add GitHub MCP Server to Windsurf
GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 15, 2026 · 31k★ · stdio · apikey · official
Windsurf config for GitHub MCP Server
docker run -i --rm -e GITHUB_PERSONAL_ACCESS_TOKEN ghcr.io/github/github-mcp-server{
"mcpServers": {
"github-mcp-server": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"GITHUB_PERSONAL_ACCESS_TOKEN",
"ghcr.io/github/github-mcp-server"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "<your-github-pat>"
}
}
}
}Requires Docker to be installed and running.
Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the GitHub MCP Server config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5GitHub MCP Server's tools become available to Cascade.
Before you start
- For the remote server: an MCP client that supports remote servers (VS Code 1.101+, Claude Desktop, Cursor, Windsurf) and either GitHub OAuth or a personal access token
- For local use: Docker running, or a Go build environment to build from source
- A GitHub personal access token — choose scopes for what you need, e.g. `repo` for repository/issue/PR operations, `read:org` for org/team data, `security_events` for code scanning, `notifications`, and `gist`
- For GitHub Enterprise Server: set GITHUB_HOST to your instance URL
What GitHub MCP Server can do in Windsurf
repos (toolset)Browse and manage repositories: get_file_contents, search_code, list_commits, create_branch, push files.
issues (toolset)Read and write issues: issue_read, issue_write, list_issues, search_issues.
pull_requests (toolset)Work with PRs: create_pull_request, pull_request_read, list_pull_requests, merge_pull_request.
actions (toolset)Inspect and run CI: actions_list, actions_get, actions_run_trigger, get_job_logs.
code_security / secret_protection (toolsets)Read scanning results: get_code_scanning_alert, get_secret_scanning_alert, list_dependabot_alerts.
users / orgs (toolsets)Look up users, organizations, and team membership.
discussions, gists, projects, labels, notifications, git (toolsets)Additional capabilities you can enable as needed for discussions, gists, project boards, labels, notifications, and low-level git operations.
Security
A personal access token grants broad read/write to your repos, so mint a fine-grained token limited to the repositories and scopes you actually need. The hosted remote server uses OAuth and avoids storing a long-lived token locally.
GitHub MCP Server + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the GitHub MCP Server config there under the "mcpServers" key and restart the client.
Is GitHub MCP Server safe to use with Windsurf?
A personal access token grants broad read/write to your repos, so mint a fine-grained token limited to the repositories and scopes you actually need. The hosted remote server uses OAuth and avoids storing a long-lived token locally.
Should I use the remote server or the local Docker image?
Use the hosted remote server (https://api.githubcopilot.com/mcp/) for the quickest setup and OAuth support. Use the local Docker image (ghcr.io/github/github-mcp-server) when you need self-hosting, air-gapped control, or GitHub Enterprise Server.
What token scopes do I need?
It depends on the toolsets. `repo` covers most repository, issue, and PR work; add `read:org` for org/team data, `security_events` for code scanning, and `notifications` or `gist` for those features. Grant the least privilege required.
How do I limit which tools are exposed?
Set GITHUB_TOOLSETS to a comma-separated list of toolsets (or GITHUB_TOOLS for individual tools). The defaults are context, repos, issues, pull_requests, and users.