feat(mcp): publish server.json to the official MCP registry on release#545
Conversation
Lists GoModel in registry.modelcontextprotocol.io as io.github.enterpilot/gomodel — an OCI package (docker.io/enterpilot/gomodel) with streamable HTTP transport at /mcp. The Dockerfile LABEL is the registry ownership proof and must match the server.json name. A new release job authenticates via GitHub OIDC (no secrets) after docker-promote, stamps the tag version into server.json, and publishes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds MCP server metadata for GoModel and integrates release-time publication of its versioned Docker image to the MCP registry using OIDC authentication. ChangesMCP registry release
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant ServerJson
participant MCPRegistry
GitHubActions->>ServerJson: Update release version and Docker image
GitHubActions->>MCPRegistry: Authenticate using GitHub OIDC
GitHubActions->>MCPRegistry: Publish MCP server artifact
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 194-196: Update the Checkout step in the release workflow to use a
full commit SHA corresponding to a stable actions/checkout release instead of
the v7 tag, and add persist-credentials: false to disable credential
persistence.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: c1c4f00e-3610-4cb6-99b9-50f228c4b9df
📒 Files selected for processing (3)
.github/workflows/release.ymlDockerfileserver.json
| - name: Checkout | ||
| uses: actions/checkout@v7 | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Pin GitHub Actions to a commit hash and disable credential persistence.
As per static analysis hints (zizmor), the checkout action is not pinned to a hash (violating blanket policy). Additionally, credential persistence should be disabled when not needed (persist-credentials: false) to prevent GitHub token leakage through artifacts.
Note: v7 is likely an invalid version for actions/checkout. Please replace <commit-hash> in the snippet below with the actual SHA of a stable release (e.g., v4).
🔒 Proposed fix
- name: Checkout
- uses: actions/checkout@v7
+ uses: actions/checkout@<commit-hash>
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.26.1)
[warning] 194-195: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 195-195: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 194 - 196, Update the Checkout
step in the release workflow to use a full commit SHA corresponding to a stable
actions/checkout release instead of the v7 tag, and add persist-credentials:
false to disable credential persistence.
Source: Linters/SAST tools
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| publish-mcp: | ||
| name: Publish to MCP Registry | ||
| runs-on: ubuntu-latest | ||
| # Registry verification pulls the versioned Docker Hub image, so the tag must exist first | ||
| needs: docker-promote |
There was a problem hiding this comment.
Non-blocking publish still blocks
The release notes say MCP registry failures should not block the release, but this job has needs: docker-promote and no continue-on-error, so any registry outage, OIDC failure, schema validation error, or mcp-publisher failure marks the whole release workflow failed after Docker promotion. Add job-level continue-on-error: true if this publish step is intended to be best-effort.
Context Used: AGENTS.md (source)
continue-on-error so a registry outage cannot fail the release, persist-credentials off (the job runs a third-party binary), and mcp-publisher pinned to v1.8.0 with checksum verification. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Addressed the review findings:
|
Summary
Registers GoModel's MCP gateway in the official MCP Registry (the app-store feed consumed by MCP clients) as
io.github.enterpilot/gomodel.The registry is not PR-based — listing happens by publishing a
server.jsonwith themcp-publisherCLI. This PR wires that up so every release publishes automatically:server.json— registry metadata: OCI packagedocker.io/enterpilot/gomodel:<version>, streamable HTTP transport athttp://localhost:8080/mcp, and theGOMODEL_MASTER_KEY/MCP_SERVERSenv vars surfaced for configuration. Validated against the official 2025-12-11 schema.Dockerfile— adds theio.modelcontextprotocol.server.nameLABEL, which is how the registry verifies we own the Docker Hub image (it must match theserver.jsonname).release.yml— newpublish-mcpjob,needs: docker-promote(verification pulls the versioned image from Docker Hub, so the tag must exist first). Auth is GitHub OIDC — publishing from this repo's CI grants theio.github.enterpilot/*namespace, no secrets to manage. The job stamps the tag version intoserver.jsonbefore publishing.User-visible impact
None at runtime. From the next release (v0.1.53+), GoModel appears in the MCP registry and downstream aggregators (client pickers, mcp.so, etc. consume the registry feed).
Notes
publish-mcpdon't block the rest of the release (parallel togoreleaser/github-release).🤖 Generated with Claude Code
Summary by CodeRabbit
server.jsonwith MCP server metadata, transport settings, and runtime configuration for the GoModel gateway.