From bee9e3e191821f43ae799e987f0a64c235fe72c7 Mon Sep 17 00:00:00 2001 From: shahinyanm Date: Sat, 13 Jun 2026 19:58:15 +0400 Subject: [PATCH] ci: publish workflow does MCP Registry only (drop doomed npm job) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The org's npm account enforces 2FA/OTP, which a CI token can't satisfy, so the npm job failed with EOTP on every release and marked the whole Publish run red even though the MCP Registry job succeeded. npm is published manually; the CI npm job was vestigial. Remove the npm job entirely. The workflow now only publishes to the MCP Registry (sync server.json → OIDC login → publish), so the run is green when the registry publish succeeds. Run it after the manual `npm publish` (tag push or workflow_dispatch); the registry validates the npm version exists. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish-mcp.yml | 46 +++++++------------------------ 1 file changed, 10 insertions(+), 36 deletions(-) diff --git a/.github/workflows/publish-mcp.yml b/.github/workflows/publish-mcp.yml index 9cd5143..e224133 100644 --- a/.github/workflows/publish-mcp.yml +++ b/.github/workflows/publish-mcp.yml @@ -1,10 +1,11 @@ -name: Publish (npm + MCP Registry) - -# Fires on a version tag. Two ordered jobs: -# 1. npm — publish the package to npmjs (MCP Registry validates that the -# referenced npm version exists, so this must run first). -# 2. mcp — sync server.json to the tag version, authenticate via GitHub -# OIDC, and publish the server entry to the MCP Registry. +name: Publish (MCP Registry) + +# Publishes the server entry to the MCP Registry. npm is published manually +# (the org's npm account enforces 2FA/OTP, which a CI token can't satisfy), so +# this workflow no longer attempts npm — it only syncs server.json to the +# package version, authenticates via GitHub OIDC, and publishes to the registry. +# The registry validates that the referenced npm version already exists, so run +# this AFTER the manual `npm publish` (tag push, or workflow_dispatch). on: push: tags: @@ -13,24 +14,15 @@ on: permissions: contents: read - id-token: write # npm provenance + mcp-publisher github-oidc + id-token: write # mcp-publisher github-oidc jobs: - npm: + mcp: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v5 - - name: Setup Node - uses: actions/setup-node@v5 - with: - node-version: 22 - registry-url: 'https://registry.npmjs.org' - - - name: Install deps - run: npm ci - - name: Verify tag matches package.json (tag runs only) if: github.ref_type == 'tag' run: | @@ -41,24 +33,6 @@ jobs: exit 1 fi - - name: Publish to npm - run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - mcp: - needs: npm - # Decoupled from npm SUCCESS — the registry publish must proceed even when - # the npm job fails (EOTP on manual-token publishes). Ordering is kept so - # npm runs first on the happy path; the MCP Registry validates the npm - # version independently, so a manual `npm publish` satisfies it. Re-run this - # job via workflow_dispatch after a manual publish to update the registry. - if: ${{ !cancelled() }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - - name: Install mcp-publisher run: | curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz mcp-publisher