ci: publish to the official MCP Registry on release#39
Conversation
Adds a github-oidc mcp-publisher step to release.yml that publishes packages/server/server.json to registry.modelcontextprotocol.io whenever an npm release happens (same gate as the existing npm publish). Uses GitHub Actions OIDC — no stored secrets. server.json + package.json mcpName (io.github.taskade/mcp-server) are already the ownership handshake. Requires a one-time manual namespace seed by a maintainer before the first automated run: mcp-publisher login github && mcp-publisher publish.
|
There was a problem hiding this comment.
Pull request overview
This PR updates the release workflow to automatically publish the MCP server manifest (packages/server/server.json) to the official MCP Registry during the release pipeline, using GitHub Actions OIDC (no stored registry secrets).
Changes:
- Adds explicit job-level permissions, including
id-token: write, to enable GitHub OIDC login. - Adds a new “Publish to MCP Registry” step gated on the same
hasChangesets == 'false'condition as the npm publish step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher | ||
| ./mcp-publisher login github-oidc | ||
| ./mcp-publisher publish No newline at end of file |
| if: steps.changesets.outputs.hasChangesets == 'false' | ||
| working-directory: packages/server | ||
| run: | | ||
| curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher |
Addresses Copilot review on the registry-publish step: - Pin mcp-publisher to v1.7.9 (reproducible, reviewable releases) instead of 'latest' (supply-chain hygiene). - Use 'tar -xz -f -' to explicitly read the archive from stdin (portable on GNU tar / Ubuntu runners) and 'curl -fsSL' to fail on HTTP errors.
| run: | | ||
| curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" | tar -xz -f - mcp-publisher | ||
| ./mcp-publisher login github-oidc | ||
| ./mcp-publisher publish No newline at end of file |
| curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" | tar -xz -f - mcp-publisher | ||
| ./mcp-publisher login github-oidc | ||
| ./mcp-publisher publish No newline at end of file |
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| id-token: write # required for mcp-publisher GitHub OIDC login |
Addresses Copilot review: without pipefail a transient curl failure could be masked in the curl|tar pipeline. Fail fast on any error in the run block. (Deferred as acceptable: pinned version already mitigates the supply-chain risk; full sigstore verification and per-step OIDC scoping would require a separate job and are noted for follow-up.)
✅ Validated → fixed →
|
| Copilot finding | Verdict | Action |
|---|---|---|
tar xz without -f - may fail on GNU tar (Ubuntu) |
VALID | tar -xz -f - + curl -fsSL. |
releases/latest is non-reproducible / supply-chain risk |
VALID | Pinned MCP_PUBLISHER_VERSION=v1.7.9 (URL verified resolves). |
curl | tar can mask a failed download (no pipefail) |
VALID | Added set -euo pipefail. |
| No checksum/signature verification of the downloaded binary | valid, deferred | Pinned version mitigates; full sigstore verify is heavier — follow-up. |
id-token: write granted to the whole job |
valid, standard | GH permissions are job/workflow-scoped, not per-step; isolating needs a separate job — follow-up. |
QA: release.yml valid YAML; pinned asset URL resolves (HTTP 302 → asset).
Why not auto-merged: this step publishes to the official MCP Registry on the next release via mcp-publisher login github-oidc. That depends on registry-side GitHub-OIDC trust for the io.github.taskade namespace, which I can't verify from here. To avoid a red release pipeline, a maintainer should confirm/seed it (mcp-publisher login github && mcp-publisher publish) before merge. Confidence to auto-merge: low → re-review requested.
| set -euo pipefail | ||
| curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" | tar -xz -f - mcp-publisher | ||
| ./mcp-publisher login github-oidc |
Superseded by #36 — closing#36 landed the same capability with a strictly better architecture, addressing this PR's open Copilot concerns by construction:
First publish will be verified via manual dispatch after release PR #49 lands. |
What & why
The Taskade server is not yet in the official MCP Registry (verified:
registry.modelcontextprotocol.io/v0/servers?search=taskade→ 0 results). The registry is the upstream source most aggregators (Glama, MCPfinder, …) ingest, so listing once propagates discovery ecosystem-wide.This wires
packages/server/server.jsonto publish automatically on release via themcp-publisherCLI using GitHub Actions OIDC (no stored secrets). The assets are already in place —server.json(io.github.taskade/mcp-server) +package.jsonmcpNameare the registry ownership handshake.Changes
release.yml: add jobpermissions(id-token: writefor OIDC) + a Publish to MCP Registry step gated on the samehasChangesets == 'false'condition as the npm publish.Zero-regression
mcp-publisher_linux_amd64.tar.gzasset +login github-oidcconfirmed against registry releasev1.7.9.Before the first automated run, a maintainer with org access must seed the namespace once:
Depends on