[pull] main from modelcontextprotocol:main#330
Merged
Conversation
The NPM_TOKEN used by publish-npm is dead (npm classic-token sunset) — both June release attempts failed publishing with a disguised auth error (E404 on the publish PUT) after PyPI legs succeeded. Each @modelcontextprotocol/* package's npm trusted publisher is being bound to this workflow (release.yml) + the release environment, so publish-npm now authenticates via OIDC instead of a token: - add id-token: write permission to publish-npm (required to mint the OIDC token; contents: read added explicitly since setting permissions drops the defaults) - upgrade the npm CLI in the publish job (trusted publishing requires npm >= 11.5.1; Node 22 bundles an older npm) - drop NODE_AUTH_TOKEN from the publish step Also touch each TypeScript server's README (add everything's missing License section; link each package's npm page) so scripts/release.py includes all four packages in the next npm publish matrix — they've been stranded on npm at 2026.1.26 while PyPI advanced to 2026.6.16. See #4463 for the rollout plan. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Align with modelcontextprotocol/inspector#1199: - set NPM_CONFIG_PROVENANCE so published packages get provenance attestations - pin the npm upgrade to ^11.5.1 instead of latest Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Gate both publish jobs on the package's test suite: npm test --if-present before the npm build/publish, and pytest (when a tests/ or test/ directory exists, matching python.yml's guard) before the PyPI build/publish. Previously nothing between tagging and publishing ran a single test. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
…ytest Review findings from the PR: - release.py's has_changes() only counted .py/.ts files, so the README touches meant to enroll the four TS packages in the npm matrix would have been ignored. Include .md — READMEs ship inside the published package (npm tarball / PyPI long_description), so doc changes are release-relevant. - uv run --frozen pytest for consistency with the job's other uv calls. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Describes how packages publish (release.yml + release environment, trusted publishing on npm and PyPI, no registry tokens, provenance), what a release run does, and how to recover from a failed publish leg (rerun --failed within the window, or ride the next release). Linked from the root README alongside the other maintainer docs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
…anned Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Rewrite RELEASING.md as the reference for the target process rather than a snapshot of the interim state: semver via changesets for TypeScript / CalVer for Python, versions changed only by PRs on main, publishing triggered by creating a GitHub Release, per-package registry-diff guard, OIDC trusted publishing with no registry tokens, and the failed-publish retry runbook. Implementation tracked in #4463. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
RELEASING.md documents the pipeline this PR ships (scheduled/dispatch CalVer releases, OIDC publishing, retry runbook), with a footer noting the planned Phase 2 changes tracked in #4463. The doc gets updated when that work merges, not before. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
…ims true Review findings: RELEASING.md claimed publishing happens exclusively from release.yml with no registry tokens, but typescript.yml and python.yml still carried release:[published] publish jobs — never fired (releases are created with GITHUB_TOKEN, which suppresses workflow triggers) and unable to succeed under OIDC (typescript.yml's still referenced the deleted NPM_TOKEN). Remove both jobs and their release triggers; the workflows are now pure CI. Also: - add skip-existing to the PyPI publish action so re-runs tolerate already-uploaded files, and describe the per-registry guard accurately in RELEASING.md (npm aborts; PyPI skips) - correct the fresh-dispatch note: same-day dispatches collide on the date-granular tag rather than minting a new version Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Releases are now triggered deliberately via workflow_dispatch. The schedule produced a year of unattended runs stuck awaiting environment approval, every real release was manually dispatched anyway, and two runs on the same UTC day collide on the date-based tag. Rename the workflow to "Release" accordingly and update RELEASING.md. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Previously push-triggered CI ran only on main, so same-repo branches got no CI until a PR was opened (fork contributions were and remain covered by pull_request, which fires on open and on every subsequent push). Run on all pushes, and add a per-ref concurrency group so rapid amend-pushes cancel superseded runs. Same-repo branches with an open PR will run under both events; acceptable at this repo's scale. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
Per-ref cancellation is for superseded branch amend-pushes; on main, every merge keeps its own CI run so failures stay attributable to a specific commit. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
ci(release): 4463 / Phase 1 - Switch npm publishing to OIDC trusted publishing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )