ci(053): auto-publish server.json to MCP Registry on release (OIDC)#517
Merged
Conversation
Adds .github/workflows/publish-mcp-registry.yml: on every GitHub Release (and via workflow_dispatch) it installs the pinned mcp-publisher, syncs server.json's version to the release tag, validates, authenticates via keyless GitHub OIDC (login github-oidc, id-token: write — no stored secret), and publishes to registry.modelcontextprotocol.io. The repo's OIDC identity proves smart-mcp-proxy org membership, which owns the io.github.smart-mcp-proxy namespace. Updated docs/mcp-registry-publishing.md to document the automation.
Deploying mcpproxy-docs with
|
| Latest commit: |
6b94b87
|
| Status: | ⚡️ Build in progress... |
Dumbris
added a commit
that referenced
this pull request
May 23, 2026
…g release.yml job (#518) release.yml already has an 'mcp-registry' job that publishes server.json on every tag via keyless GitHub OIDC (continue-on-error) — it has shipped 44 versions to registry.modelcontextprotocol.io. The publish-mcp-registry.yml added in #517 was a redundant duplicate that would have thrown 'cannot publish duplicate version' on every release. Removes it and corrects docs/mcp-registry-publishing.md to reference the existing automation instead of claiming publishing was manual.
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Answers "can we publish new registry versions from CI?" — yes, keyless via GitHub OIDC.
Adds
.github/workflows/publish-mcp-registry.yml:release: published+ manualworkflow_dispatch(optional version input).permissions: id-token: write→mcp-publisher login github-oidcexchanges the workflow's OIDC token for a short-lived Registry JWT. No stored secret/token. The repo's OIDC identity provessmart-mcp-proxyorg membership, which owns theio.github.smart-mcp-proxynamespace.mcp-publisher(v1.7.9) binary;actions/checkoutSHA-pinned per repo convention.server.json'sversionto the release tag at publish time (stripsv), so no hand-bumping.mcp-publisher validate) before publishing.Why this matters: the interactive
mcp-publisher login githubtoken expires quickly (hit a 401 "token expired" doing it by hand). OIDC removes the manual login entirely and keeps the registry entry in lockstep with releases.Validated with
actionlint. First publish happens on the next release (or a manual dispatch). Pairs with #516 (server.json description refresh).