Skip to content

chore: auto-publish to MCP Registry on release#13

Merged
shenxianpeng merged 3 commits into
mainfrom
chore/update-server-json-on-release
Jul 2, 2026
Merged

chore: auto-publish to MCP Registry on release#13
shenxianpeng merged 3 commits into
mainfrom
chore/update-server-json-on-release

Conversation

@shenxianpeng

@shenxianpeng shenxianpeng commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Add a GitHub Actions workflow that automatically publishes the updated server.json to the official MCP Registry when a new release is published.

Changes

.github/workflows/update-server-json.yml — new workflow

Workflow steps

Step Detail
1️⃣ Extract version Strips v from the release tag (v0.1.60.1.6)
2️⃣ Set version in server.json Updates .version and .packages[0].version locally via jq
3️⃣ Install mcp-publisher Downloads the official CLI from GitHub Releases
4️⃣ Authenticate via OIDC ./mcp-publisher login github-oidcno secrets needed
5️⃣ Publish to MCP Registry ./mcp-publisher publish — submits the updated server.json

Permissions

  • contents: read — checkout only (server.json is not committed back to the repo)
  • id-token: write — required for OIDC authentication with the registry

Ownership verification

The README already contains the required mcp-name: marker for PyPI ownership verification (line 3):

mcp-name: io.github.commit-check/commit-check-mcp

Best practices followed

Based on the official MCP Registry Quickstart and GitHub Actions guide:

  • ✅ Uses mcp-publisher CLI (not raw curl)
  • ✅ Uses OIDC authentication (recommended, zero-config)
  • ✅ Updates server.json locally before publish (no unnecessary commit)
  • ✅ README already has mcp-name: ownership marker for PyPI
  • server.json schema already valid (matching "registryType": "pypi")

Relation to existing workflows

Workflow Trigger Purpose
publish.yml release published Build & publish to PyPI
update-server-json.yml release published Publish server metadata to MCP Registry

Separate concerns, separate workflows.

Summary by CodeRabbit

  • New Features
    • Added automated publishing of the server package to the MCP Registry when a release is published.
    • Added a manual trigger for the same publishing workflow when needed.
    • Release version information is now updated automatically before publication.

@github-actions github-actions Bot added the chore label Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@shenxianpeng, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 46 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4ba6383-da41-42f9-aad2-49f782f1cdd9

📥 Commits

Reviewing files that changed from the base of the PR and between 480d736 and b5638bf.

📒 Files selected for processing (1)
  • .github/workflows/publish-mcp-registry.yml
📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow file that publishes server.json to the MCP Registry upon release publication or manual dispatch, deriving version info, updating server.json with jq, and using mcp-publisher for OIDC-authenticated publishing.

Changes

Release Publishing Workflow

Layer / File(s) Summary
Version derivation and MCP Registry publish
.github/workflows/update-server-json.yml
New workflow triggers on release published or workflow_dispatch, derives version from release tag or git describe fallback, updates server.json version fields with jq, installs mcp-publisher, authenticates via GitHub OIDC, and publishes to the MCP Registry.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
    participant GitHubRelease as GitHub Release
    participant Workflow as CI Workflow
    participant ServerJson as server.json
    participant McpPublisher as mcp-publisher
    participant MCPRegistry as MCP Registry

    GitHubRelease->>Workflow: release published / manual dispatch
    Workflow->>Workflow: derive version from tag or git describe
    Workflow->>ServerJson: update version via jq
    Workflow->>McpPublisher: install binary
    Workflow->>McpPublisher: login github-oidc
    McpPublisher->>MCPRegistry: publish server.json
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: a new workflow that auto-publishes server.json to the MCP Registry on release.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-server-json-on-release

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov-commenter

codecov-commenter commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.02%. Comparing base (795fa8f) to head (b5638bf).

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #13   +/-   ##
=======================================
  Coverage   66.02%   66.02%           
=======================================
  Files           2        2           
  Lines         209      209           
=======================================
  Hits          138      138           
  Misses         71       71           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@shenxianpeng shenxianpeng force-pushed the chore/update-server-json-on-release branch from fe6f6bd to 8eb05f0 Compare July 2, 2026 20:38
@shenxianpeng shenxianpeng changed the title chore: auto-update server.json version on release publish chore: auto-publish to MCP Registry on release Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
.github/workflows/update-server-json.yml (1)

40-42: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned "latest" binary download without checksum verification.

mcp-publisher is fetched from the latest release tag and piped straight into tar with no checksum/signature check. A future release change or compromised asset would silently affect this workflow. Consider pinning to a specific version and verifying a checksum if the registry publishes one.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-server-json.yml around lines 40 - 42, The Install
mcp-publisher step downloads an unpinned “latest” binary and extracts it without
any integrity check. Update the workflow step to use a specific mcp-publisher
release version instead of latest, and add checksum or signature verification if
the registry provides one. Keep the change localized to the Install
mcp-publisher run block in update-server-json.yml so the download is
deterministic and verifiable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-server-json.yml:
- Around line 17-18: The checkout step in the workflow is missing two required
options: disable persisted GitHub credentials and fetch full history/tags.
Update the actions/checkout usage in the Checkout repo step to set
persist-credentials to false and fetch-depth to 0 so later git describe fallback
logic can find tags during workflow_dispatch runs and no unnecessary token is
left available.
- Around line 20-29: The version-extraction step in the workflow is
interpolating github.event.release.tag_name directly inside the shell script,
which is the template-injection issue. Update the “Extract version from release
tag” step to read the tag from an env variable instead of embedding the GitHub
expression in the run block, and keep the existing TAG/VERSION logic in that
step using the env-provided value. Use the step’s id version and the existing
tag/version output handling to preserve behavior while removing the untrusted
direct template expansion.
- Around line 31-38: The Set version in server.json step is using direct
template interpolation for steps.version.outputs.version, which triggers the
template-injection warning. Update the workflow to pass that value through env:
instead of embedding it directly in the run script, then reference the
environment variable inside the jq update in the Set version in server.json
step. Keep the change consistent with the surrounding version-handling logic in
this job.

---

Nitpick comments:
In @.github/workflows/update-server-json.yml:
- Around line 40-42: The Install mcp-publisher step downloads an unpinned
“latest” binary and extracts it without any integrity check. Update the workflow
step to use a specific mcp-publisher release version instead of latest, and add
checksum or signature verification if the registry provides one. Keep the change
localized to the Install mcp-publisher run block in update-server-json.yml so
the download is deterministic and verifiable.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a62cbee-b5ea-4127-8048-0b94625e7deb

📥 Commits

Reviewing files that changed from the base of the PR and between 795fa8f and 480d736.

📒 Files selected for processing (1)
  • .github/workflows/update-server-json.yml

Comment on lines +17 to +18
- name: Checkout repo
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Checkout doesn't set persist-credentials: false or fetch-depth.

Two related gaps in the checkout step:

  1. This workflow never pushes back to the repo (publishing is done via mcp-publisher), so persisting the token via persist-credentials (default true) is unnecessary credential exposure — flagged by zizmor as artipacked.
  2. Default fetch-depth: 1 fetches only the triggering commit with no tags, which breaks the git describe --tags --abbrev=0 fallback used later (see lines 24-26) whenever the workflow runs via workflow_dispatch — the git command will fail on a shallow clone with no tags.
🔧 Proposed fix
       - name: Checkout repo
         uses: actions/checkout@v7
+        with:
+          fetch-depth: 0
+          persist-credentials: false

As per static analysis hints, zizmor flagged "credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false" for these lines.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repo
uses: actions/checkout@v7
- name: Checkout repo
uses: actions/checkout@v7
with:
fetch-depth: 0
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-server-json.yml around lines 17 - 18, The checkout
step in the workflow is missing two required options: disable persisted GitHub
credentials and fetch full history/tags. Update the actions/checkout usage in
the Checkout repo step to set persist-credentials to false and fetch-depth to 0
so later git describe fallback logic can find tags during workflow_dispatch runs
and no unnecessary token is left available.

Source: Linters/SAST tools

Comment on lines +20 to +29
- name: Extract version from release tag
id: version
run: |
TAG="${{ github.event.release.tag_name }}"
if [ -z "$TAG" ]; then
TAG="$(git describe --tags --abbrev=0)"
fi
VERSION="${TAG#v}"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Untrusted template expansion into shell (github.event.release.tag_name).

Interpolating ${{ github.event.release.tag_name }} directly into the run: script is a code-injection risk if the tag contains shell metacharacters. Pass it via env: instead.

🛡️ Proposed fix
       - name: Extract version from release tag
         id: version
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
-          TAG="${{ github.event.release.tag_name }}"
+          TAG="$RELEASE_TAG"
           if [ -z "$TAG" ]; then
             TAG="$(git describe --tags --abbrev=0)"
           fi
           VERSION="${TAG#v}"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"

As per static analysis hints, zizmor flagged "code injection via template expansion (template-injection): may expand into attacker-controllable code" at line 23.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Extract version from release tag
id: version
run: |
TAG="${{ github.event.release.tag_name }}"
if [ -z "$TAG" ]; then
TAG="$(git describe --tags --abbrev=0)"
fi
VERSION="${TAG#v}"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Extract version from release tag
id: version
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
TAG="$RELEASE_TAG"
if [ -z "$TAG" ]; then
TAG="$(git describe --tags --abbrev=0)"
fi
VERSION="${TAG#v}"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
🧰 Tools
🪛 zizmor (1.26.1)

[error] 23-23: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-server-json.yml around lines 20 - 29, The
version-extraction step in the workflow is interpolating
github.event.release.tag_name directly inside the shell script, which is the
template-injection issue. Update the “Extract version from release tag” step to
read the tag from an env variable instead of embedding the GitHub expression in
the run block, and keep the existing TAG/VERSION logic in that step using the
env-provided value. Use the step’s id version and the existing tag/version
output handling to preserve behavior while removing the untrusted direct
template expansion.

Source: Linters/SAST tools

Comment on lines +31 to +38
- name: Set version in server.json
run: |
VERSION="${{ steps.version.outputs.version }}"
echo "Setting server.json version to $VERSION"
jq --arg v "$VERSION" '.version = $v | .packages[0].version = $v' server.json > server.json.tmp
mv server.json.tmp server.json
echo "=== Updated server.json ==="
cat server.json

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Same template-injection pattern for steps.version.outputs.version.

Prefer env: over direct interpolation here as well, consistent with the fix above.

🛡️ Proposed fix
       - name: Set version in server.json
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
           echo "Setting server.json version to $VERSION"
           jq --arg v "$VERSION" '.version = $v | .packages[0].version = $v' server.json > server.json.tmp
           mv server.json.tmp server.json
           echo "=== Updated server.json ==="
           cat server.json

As per static analysis hints, zizmor flagged "code injection via template expansion (template-injection)" at line 33.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Set version in server.json
run: |
VERSION="${{ steps.version.outputs.version }}"
echo "Setting server.json version to $VERSION"
jq --arg v "$VERSION" '.version = $v | .packages[0].version = $v' server.json > server.json.tmp
mv server.json.tmp server.json
echo "=== Updated server.json ==="
cat server.json
- name: Set version in server.json
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
echo "Setting server.json version to $VERSION"
jq --arg v "$VERSION" '.version = $v | .packages[0].version = $v' server.json > server.json.tmp
mv server.json.tmp server.json
echo "=== Updated server.json ==="
cat server.json
🧰 Tools
🪛 zizmor (1.26.1)

[info] 33-33: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-server-json.yml around lines 31 - 38, The Set
version in server.json step is using direct template interpolation for
steps.version.outputs.version, which triggers the template-injection warning.
Update the workflow to pass that value through env: instead of embedding it
directly in the run script, then reference the environment variable inside the
jq update in the Set version in server.json step. Keep the change consistent
with the surrounding version-handling logic in this job.

Source: Linters/SAST tools

@shenxianpeng shenxianpeng merged commit aede8c3 into main Jul 2, 2026
7 checks passed
@shenxianpeng shenxianpeng deleted the chore/update-server-json-on-release branch July 2, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants