GitHub MCP Project Setup
This skill sets up per-project GitHub MCP configuration, keeping your GitHub Personal Access Token (PAT) isolated to specific projects rather than granting global access.
When to Use
Use this skill when:
- •You need to access GitHub (PRs, issues, repo content) from Claude Code
- •The project doesn't have GitHub MCP configured yet
- •You want to avoid using a global GitHub PAT
Security Notice
CRITICAL: Claude must NEVER read files that may contain tokens.
- •Never read
.mcp.jsonafter the user has added their token - •Never read
.envfiles or any files that might contain secrets - •The user is responsible for adding their token directly to the file
Instructions for Claude
When this skill is invoked:
Step 1: Create .mcp.json with Placeholder
Write this file to the project root (creating or overwriting):
{
"mcpServers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp",
"headers": {
"Authorization": "Bearer YOUR_TOKEN_HERE"
}
}
}
}
Step 2: Update .gitignore
Add .mcp.json to .gitignore if not already present:
# Check and add to .gitignore grep -q "^\.mcp\.json$" .gitignore 2>/dev/null || echo ".mcp.json" >> .gitignore
Step 3: Guide the User
Tell the user:
Setup complete! Now you need to:
- •
Create a Fine-Grained PAT at: https://github.com/settings/personal-access-tokens/new
- •Token name: "Claude Code - [project name]"
- •Expiration: 90 days (or as needed)
- •Repository access: "Only select repositories" → select just this repo
- •Permissions:
- •Contents: Read and write
- •Issues: Read and write
- •Pull requests: Read and write
- •Metadata: Read-only (auto-selected)
- •
Edit
.mcp.jsonin your project root and replaceYOUR_TOKEN_HEREwith your PAT- •
Restart Claude Code (MCP only loads on startup)
- •
Verify with:
claude mcp list
Alternative: CLI Method
If preferred, the user can run this command directly (replacing with their actual PAT):
claude mcp add-json github '{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":"Bearer YOUR_PAT_HERE"}}' --scope project
This stores the token directly in the project config.
Security Notes
- •
.mcp.jsonis automatically added to.gitignoreto prevent accidental commits - •Fine-grained PATs limit access to specific repositories only
- •Project-level config means the token only works in this project directory
- •Tokens can be revoked anytime at https://github.com/settings/tokens
- •Claude will never read the .mcp.json file after setup to protect your token