From 41a55587f134488c45bdd86a2f2f8d05c7a55a0f Mon Sep 17 00:00:00 2001
From: johnxie <john@taskade.com>
Date: Thu, 4 Jun 2026 17:09:12 -0700
Subject: [PATCH 1/2] ci(mcp-registry): auto-publish to the official MCP
 Registry via GitHub OIDC

Adds a workflow that publishes io.github.taskade/mcp-server to
registry.modelcontextprotocol.io with no secrets (GitHub OIDC).

- Fires on the `@taskade/mcp-server@*` release tag (pushed by changesets after
  npm publish), and on manual workflow_dispatch.
- Auto-syncs packages/server/server.json version from package.json at publish
  time, so it can never drift from the published npm version again.

"Set once, never touch again": after this + the 0.0.3 server.json bump (#35),
the registry entry stays current automatically on every release.
---
 .github/workflows/publish-mcp-registry.yml | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 .github/workflows/publish-mcp-registry.yml

diff --git a/.github/workflows/publish-mcp-registry.yml b/.github/workflows/publish-mcp-registry.yml
new file mode 100644
index 0000000..396e8c2
--- /dev/null
+++ b/.github/workflows/publish-mcp-registry.yml
@@ -0,0 +1,47 @@
+name: Publish to MCP Registry
+
+# Publishes io.github.taskade/mcp-server to the official MCP Registry
+# (https://registry.modelcontextprotocol.io) using GitHub OIDC — no secrets.
+#
+# Trigger:
+#   - automatically when a release tags the server package (changesets pushes a
+#     `@taskade/mcp-server@<version>` tag right after the npm publish succeeds), so
+#     the npm version always exists before we register it.
+#   - manually via "Run workflow" to (re)publish the current npm version.
+#
+# Note: the server.json version is auto-synced from packages/server/package.json
+# at publish time, so it can never drift out of sync with the published npm
+# version again (the registry rejects a version that isn't on npm).
+
+on:
+  push:
+    tags:
+      - "@taskade/mcp-server@*"
+  workflow_dispatch:
+
+jobs:
+  publish-registry:
+    name: Publish to MCP Registry
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required for GitHub OIDC auth to the registry
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Sync server.json version to the published npm version
+        run: |
+          node -e "const fs=require('fs');const p='packages/server/server.json';const s=JSON.parse(fs.readFileSync(p,'utf8'));const v=require('./packages/server/package.json').version;s.version=v;(s.packages||[]).forEach(k=>{k.version=v});fs.writeFileSync(p,JSON.stringify(s,null,2)+'\n');console.log('server.json synced to '+v)"
+
+      - name: Install mcp-publisher
+        run: |
+          curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
+          sudo mv mcp-publisher /usr/local/bin/
+
+      - name: Authenticate via GitHub OIDC
+        run: mcp-publisher login github-oidc
+
+      - name: Publish to MCP Registry
+        working-directory: packages/server
+        run: mcp-publisher publish

From b86213f96eb484b78066ddd1763e33b94d8f418d Mon Sep 17 00:00:00 2001
From: johnxie <john@taskade.com>
Date: Tue, 9 Jun 2026 12:25:10 -0700
Subject: [PATCH 2/2] ci: pin mcp-publisher to v1.7.9 and harden the download

Same hardening Copilot required on the release-step variant: pinned version
(reproducible, reviewable bumps), curl -fsSL, tar -xz -f -, set -euo pipefail.
---
 .github/workflows/publish-mcp-registry.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-mcp-registry.yml b/.github/workflows/publish-mcp-registry.yml
index 396e8c2..2f8bf2f 100644
--- a/.github/workflows/publish-mcp-registry.yml
+++ b/.github/workflows/publish-mcp-registry.yml
@@ -35,8 +35,12 @@ jobs:
           node -e "const fs=require('fs');const p='packages/server/server.json';const s=JSON.parse(fs.readFileSync(p,'utf8'));const v=require('./packages/server/package.json').version;s.version=v;(s.packages||[]).forEach(k=>{k.version=v});fs.writeFileSync(p,JSON.stringify(s,null,2)+'\n');console.log('server.json synced to '+v)"
 
       - name: Install mcp-publisher
+        env:
+          # Pinned for reproducible, reviewable releases — bump deliberately.
+          MCP_PUBLISHER_VERSION: v1.7.9
         run: |
-          curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
+          set -euo pipefail
+          curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar -xz -f - mcp-publisher
           sudo mv mcp-publisher /usr/local/bin/
 
       - name: Authenticate via GitHub OIDC