GitHub MCP Server on Amazon Bedrock AgentCore

/** * Unit tests for docker/start.sh entrypoint script * * Validates: Requirements 3.2, 6.2, 6.5 * * Tests that start.sh: * - Exits non-zero when GITHUB_PAT_SECRET_ARN is unset * - Exits non-zero when secret fetch returns empty * - Runs supergateway with correct flags (stateless, port 8000, /healthz, --cors) */ import { describe, it, expect } from 'vitest'; import { readFileSync } from 'fs'; import { resolve } from 'path'; const START_SH_PATH = resolve(import.meta.dirname, '..', 'docker', 'start.sh'); const scriptContent = readFileSync(START_SH_PATH, 'utf-8'); describe('start.sh entrypoint script', () => { it('should use set -e for fail-fast behavior', () => { expect(scriptContent).toContain('set -e'); }); it('should exit non-zero when GITHUB_PAT_SECRET_ARN is unset', () => { // Script must check for empty/unset GITHUB_PAT_SECRET_ARN and exit 1 const hasEmptyCheck = scriptContent.includes('-z "$GITHUB_PAT_SECRET_ARN"'); const hasExitOnUnset = /if\s.*GITHUB_PAT_SECRET_ARN.*then[\s\S]*?exit\s+1/m.test(scriptContent); expect(hasEmptyCheck).toBe(true); expect(hasExitOnUnset).toBe(true); }); it('should print descriptive error when GITHUB_PAT_SECRET_ARN is unset', () => { // Find the block that checks for unset ARN and verify it has an error message const unsetBlock = scriptContent.match( /if\s+\[\s+-z\s+"\$GITHUB_PAT_SECRET_ARN"\s*\][\s\S]*?fi/m ); expect(unsetBlock).not.toBeNull(); expect(unsetBlock[0]).toMatch(/echo.*ERROR/i); }); it('should exit non-zero when secret fetch returns empty', () => { // After fetching, script must check if GITHUB_PERSONAL_ACCESS_TOKEN is empty const hasPostFetchCheck = scriptContent.includes('-z "$GITHUB_PERSONAL_ACCESS_TOKEN"'); expect(hasPostFetchCheck).toBe(true); // And exit 1 in that case const postFetchBlock = scriptContent.match( /if\s+\[\s+-z\s+"\$GITHUB_PERSONAL_ACCESS_TOKEN"\s*\][\s\S]*?fi/m ); expect(postFetchBlock).not.toBeNull(); expect(postFetchBlock[0]).toContain('exit 1'); }); it('should fetch secret using aws secretsmanager get-secret-value', () => { expect(scriptContent).toContain('aws secretsmanager get-secret-value'); expect(scriptContent).toContain('$GITHUB_PAT_SECRET_ARN'); }); it('should export GITHUB_PERSONAL_ACCESS_TOKEN from the fetched secret', () => { expect(scriptContent).toMatch(/export\s+GITHUB_PERSONAL_ACCESS_TOKEN=/); }); it('should exec supergateway with correct flags', () => { // Must use exec to replace the shell process expect(scriptContent).toMatch(/exec\s+supergateway/); // Verify all required flags expect(scriptContent).toContain('--stdio "github-mcp-server stdio"'); expect(scriptContent).toContain('--port 8000'); expect(scriptContent).toContain('--outputTransport streamableHttp'); expect(scriptContent).toContain('--healthEndpoint /healthz'); expect(scriptContent).toContain('--cors'); }); it('should NOT use --stateful flag (stateless mode required)', () => { // Supergateway defaults to stateless when --stateful is omitted expect(scriptContent).not.toContain('--stateful'); }); });