From e42de7ee58c9fb6a15aa5d11b054f734a8d85c88 Mon Sep 17 00:00:00 2001 From: shahinyanm Date: Thu, 11 Jun 2026 21:30:44 +0400 Subject: [PATCH 1/2] =?UTF-8?q?ci:=20fix=20publish=20pipeline=20=E2=80=94?= =?UTF-8?q?=20automate=20npm=20+=20repair=20MCP=20Registry=20auth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The publish-mcp workflow failed on every tag since v0.45.0 with "not authenticated, run 'mcp-publisher login' first": the modern mcp-publisher splits auth from publish, but the step still called the removed `publish --github-oidc` flag. server.json was also frozen at 0.19.2, so even a successful publish would have shipped a stale version. - Split into two ordered jobs: `npm` (publish to npmjs) then `mcp` (publish to the MCP Registry, which validates the npm version exists). - npm job verifies the tag matches package.json before publishing, uses NODE_AUTH_TOKEN from the NPM_TOKEN secret. - mcp job syncs server.json (top + packages[].version) to the tag, runs `mcp-publisher login github-oidc`, then `publish`. - Add workflow_dispatch for manual re-runs. - Bump committed server.json 0.19.2 -> 0.45.1. Requires repo secret NPM_TOKEN (npm automation token with publish rights). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish-mcp.yml | 52 ++++++++++++++++++++++++++++--- server.json | 4 +-- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish-mcp.yml b/.github/workflows/publish-mcp.yml index 873e72c..c8c7cca 100644 --- a/.github/workflows/publish-mcp.yml +++ b/.github/workflows/publish-mcp.yml @@ -1,16 +1,52 @@ -name: Publish to MCP Registry +name: Publish (npm + MCP Registry) +# Fires on a version tag. Two ordered jobs: +# 1. npm — publish the package to npmjs (MCP Registry validates that the +# referenced npm version exists, so this must run first). +# 2. mcp — sync server.json to the tag version, authenticate via GitHub +# OIDC, and publish the server entry to the MCP Registry. on: push: tags: - 'v*' + workflow_dispatch: {} permissions: contents: read - id-token: write + id-token: write # npm provenance + mcp-publisher github-oidc jobs: - publish: + npm: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: 22 + registry-url: 'https://registry.npmjs.org' + + - name: Install deps + run: npm ci + + - name: Verify tag matches package.json version + run: | + PKG="$(node -p "require('./package.json').version")" + TAG="${GITHUB_REF_NAME#v}" + if [ "$PKG" != "$TAG" ]; then + echo "::error::tag v$TAG does not match package.json version $PKG" + exit 1 + fi + + - name: Publish to npm + run: npm publish --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + mcp: + needs: npm runs-on: ubuntu-latest steps: - name: Checkout @@ -21,5 +57,13 @@ jobs: curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher sudo mv mcp-publisher /usr/local/bin/ + - name: Sync server.json version to tag + run: | + VERSION="${GITHUB_REF_NAME#v}" + node -e "const fs=require('fs');const p='server.json';const j=JSON.parse(fs.readFileSync(p,'utf8'));j.version='$VERSION';if(Array.isArray(j.packages))for(const x of j.packages)x.version='$VERSION';fs.writeFileSync(p,JSON.stringify(j,null,2)+'\n');" + + - name: Login to MCP Registry (GitHub OIDC) + run: mcp-publisher login github-oidc + - name: Publish to MCP Registry - run: mcp-publisher publish --github-oidc + run: mcp-publisher publish diff --git a/server.json b/server.json index 6ef69c0..4f32b19 100644 --- a/server.json +++ b/server.json @@ -6,12 +6,12 @@ "url": "https://github.com/Digital-Threads/token-pilot", "source": "github" }, - "version": "0.19.2", + "version": "0.45.1", "packages": [ { "registryType": "npm", "identifier": "token-pilot", - "version": "0.19.2", + "version": "0.45.1", "transport": { "type": "stdio" }, From 08d56c27d251647dc9f687ec380c3532616eb33c Mon Sep 17 00:00:00 2001 From: shahinyanm Date: Thu, 11 Jun 2026 21:32:10 +0400 Subject: [PATCH 2/2] ci: source publish version from package.json (fixes workflow_dispatch) --- .github/workflows/publish-mcp.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-mcp.yml b/.github/workflows/publish-mcp.yml index c8c7cca..55d13bc 100644 --- a/.github/workflows/publish-mcp.yml +++ b/.github/workflows/publish-mcp.yml @@ -31,7 +31,8 @@ jobs: - name: Install deps run: npm ci - - name: Verify tag matches package.json version + - name: Verify tag matches package.json (tag runs only) + if: github.ref_type == 'tag' run: | PKG="$(node -p "require('./package.json').version")" TAG="${GITHUB_REF_NAME#v}" @@ -57,10 +58,9 @@ jobs: curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher sudo mv mcp-publisher /usr/local/bin/ - - name: Sync server.json version to tag + - name: Sync server.json version to package.json run: | - VERSION="${GITHUB_REF_NAME#v}" - node -e "const fs=require('fs');const p='server.json';const j=JSON.parse(fs.readFileSync(p,'utf8'));j.version='$VERSION';if(Array.isArray(j.packages))for(const x of j.packages)x.version='$VERSION';fs.writeFileSync(p,JSON.stringify(j,null,2)+'\n');" + node -e "const fs=require('fs');const v=require('./package.json').version;const p='server.json';const j=JSON.parse(fs.readFileSync(p,'utf8'));j.version=v;if(Array.isArray(j.packages))for(const x of j.packages)x.version=v;fs.writeFileSync(p,JSON.stringify(j,null,2)+'\n');" - name: Login to MCP Registry (GitHub OIDC) run: mcp-publisher login github-oidc