From 4b072fb895413df4d88a3ade9a00748e703525cf Mon Sep 17 00:00:00 2001
From: johnxie <john@taskade.com>
Date: Fri, 5 Jun 2026 04:04:44 -0700
Subject: [PATCH 1/3] ci: publish server.json to the official MCP Registry on
 release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a github-oidc mcp-publisher step to release.yml that publishes
packages/server/server.json to registry.modelcontextprotocol.io whenever an
npm release happens (same gate as the existing npm publish). Uses GitHub
Actions OIDC — no stored secrets. server.json + package.json mcpName
(io.github.taskade/mcp-server) are already the ownership handshake.

Requires a one-time manual namespace seed by a maintainer before the first
automated run: mcp-publisher login github && mcp-publisher publish.
---
 .github/workflows/release.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d929c1..813f2d4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,10 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write # required for mcp-publisher GitHub OIDC login
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -39,4 +43,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      # Publishes packages/server/server.json to the official MCP Registry
+      # (registry.modelcontextprotocol.io) using GitHub Actions OIDC — no stored
+      # secrets. Runs under the same condition as the npm publish above so the
+      # registry version tracks the npm release. Requires a one-time manual
+      # namespace seed by a maintainer: `mcp-publisher login github && mcp-publisher publish`.
+      - name: Publish to MCP Registry
+        if: steps.changesets.outputs.hasChangesets == 'false'
+        working-directory: packages/server
+        run: |
+          curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher
+          ./mcp-publisher login github-oidc
+          ./mcp-publisher publish
\ No newline at end of file

From d21eaad4a7ed11f5e7a30a67c456bd1ecea910de Mon Sep 17 00:00:00 2001
From: johnxie <john@taskade.com>
Date: Fri, 5 Jun 2026 04:31:49 -0700
Subject: [PATCH 2/3] ci: pin mcp-publisher version and harden tar extraction

Addresses Copilot review on the registry-publish step:
- Pin mcp-publisher to v1.7.9 (reproducible, reviewable releases) instead of
  'latest' (supply-chain hygiene).
- Use 'tar -xz -f -' to explicitly read the archive from stdin (portable on
  GNU tar / Ubuntu runners) and 'curl -fsSL' to fail on HTTP errors.
---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 813f2d4..0777a4f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,7 +53,10 @@ jobs:
       - name: Publish to MCP Registry
         if: steps.changesets.outputs.hasChangesets == 'false'
         working-directory: packages/server
+        env:
+          # Pinned for reproducible, reviewable releases — bump deliberately.
+          MCP_PUBLISHER_VERSION: v1.7.9
         run: |
-          curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher
+          curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" | tar -xz -f - mcp-publisher
           ./mcp-publisher login github-oidc
           ./mcp-publisher publish
\ No newline at end of file

From b75928835d5db0c56cd3ff3f658dae35fec21eee Mon Sep 17 00:00:00 2001
From: johnxie <john@taskade.com>
Date: Fri, 5 Jun 2026 04:52:37 -0700
Subject: [PATCH 3/3] ci: add set -euo pipefail to the MCP Registry publish
 step

Addresses Copilot review: without pipefail a transient curl failure could be
masked in the curl|tar pipeline. Fail fast on any error in the run block.

(Deferred as acceptable: pinned version already mitigates the supply-chain
risk; full sigstore verification and per-step OIDC scoping would require a
separate job and are noted for follow-up.)
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0777a4f..67ace89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -57,6 +57,7 @@ jobs:
           # Pinned for reproducible, reviewable releases — bump deliberately.
           MCP_PUBLISHER_VERSION: v1.7.9
         run: |
+          set -euo pipefail
           curl -fsSL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" | tar -xz -f - mcp-publisher
           ./mcp-publisher login github-oidc
           ./mcp-publisher publish
\ No newline at end of file