Skip to content

chore: fix publish workflow for MCP registry #786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
himanshusinghs merged 5 commits into from
Dec 11, 2025
Merged

chore: fix publish workflow for MCP registry #786

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9d5b4dd
chore: fix publish workflow for MCP registry
himanshusinghs Dec 8, 2025
6a9157d
chore: add permissions to docker-push job
himanshusinghs Dec 8, 2025
9326014
chore: address copilot suggestions
himanshusinghs Dec 8, 2025
a991f2f
chore: add explicit permission
himanshusinghs Dec 8, 2025
f607e46
chore: add MCP publish workflow for manual dispatch
himanshusinghs Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/docker-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
name: Build and Push Docker Image
Copy link
Collaborator

@gagik gagik Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: should this be a workflow or an action? tbh not sure what pros and cons of each are

Copy link
Collaborator Author

@himanshusinghs himanshusinghs Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They both could be used for reusability. I used the workflow here only because they have better support for credentials masking. I don't have a strong feeling about it though as I only recently found about this and was curious to see this in action.

on:
workflow_call:
secrets:
DOCKERHUB_USERNAME:
required: true
DOCKERHUB_PASSWORD:
required: true

jobs:
build-push:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false

- name: Get version and date
id: release-meta
run: |
VERSION=$(npm pkg get version | tr -d '"')
DATE=$(date +'%Y-%m-%d')
echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
echo "DATE=${DATE}" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435

- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
with:
username: "${{ secrets.DOCKERHUB_USERNAME }}"
password: "${{ secrets.DOCKERHUB_PASSWORD }}"

- name: Build and push image to dockerhub registry
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
with:
context: .
platforms: linux/amd64,linux/arm64
tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.release-meta.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.release-meta.outputs.VERSION }}-${{ steps.release-meta.outputs.DATE }}
file: Dockerfile
push: true
provenance: mode=max
sbom: true
build-args: |
VERSION=${{ steps.release-meta.outputs.VERSION }}
46 changes: 19 additions & 27 deletions .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,21 @@ permissions:
contents: read
issues: write
jobs:
push:
docker-push:
uses: ./.github/workflows/docker-publish.yml
permissions:
contents: read
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

handle-failure:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
needs: docker-push
if: ${{ always() && needs.docker-push.result == 'failure' }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
Expand All @@ -17,43 +30,22 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
with:
username: "${{ secrets.DOCKERHUB_USERNAME }}"
password: "${{ secrets.DOCKERHUB_PASSWORD }}"
- name: Set date and version
id: set-properties
- name: Get version and date
id: release-meta
run: |
DATE=$(date +'%Y-%m-%d')
VERSION=$(npm pkg get version | tr -d '"')
echo "DATE=${DATE}" >> "$GITHUB_OUTPUT"
DATE=$(date +'%Y-%m-%d')
echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
- name: Build and push image to dockerhub registry
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
with:
context: .
platforms: linux/amd64,linux/arm64
tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }}
file: Dockerfile
push: true
provenance: mode=max
sbom: true
build-args: |
VERSION=${{ steps.set-properties.outputs.VERSION }}
echo "DATE=${DATE}" >> "$GITHUB_OUTPUT"
- uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
id: app-token
if: ${{ failure() }}
with:
app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
token: ${{ steps.app-token.outputs.token }}
title: Release Failure for Docker Image ${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }}
title: Release Failure for Docker Image ${{ steps.release-meta.outputs.VERSION }}-${{ steps.release-meta.outputs.DATE }}
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
labels: "docker, release_failure"
28 changes: 28 additions & 0 deletions .github/workflows/mcp-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
name: Publish to MCP Registry
on:
workflow_call:
workflow_dispatch:
Copy link
Collaborator

@fmenezes fmenezes Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think you only need this on the other one

Suggested change
workflow_dispatch:

Copy link
Collaborator Author

@himanshusinghs himanshusinghs Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This in intentional because we still want to be able to publish to MCP registry manually in case the relevant parts in publish job fails.

Also relevant for the current v1.3.0 release which was never published in MCP registry so this is expected to help with that as well.


jobs:
mcp-publish:
runs-on: ubuntu-latest
environment: Production
permissions:
id-token: write
contents: read
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v5
with:
persist-credentials: false

- name: Install MCP Publisher
run: |
curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
- name: Login to MCP Registry
run: ./mcp-publisher login github-oidc

- name: Publish to MCP Registry
run: ./mcp-publisher publish
42 changes: 36 additions & 6 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,42 @@ jobs:
run: |
gh release create ${{ needs.check.outputs.VERSION }} --title "${{ needs.check.outputs.VERSION }}" --generate-notes --target ${{ github.sha }} ${{ (needs.check.outputs.RELEASE_CHANNEL != 'latest' && '--prerelease') || ''}}

- name: Install MCP Publisher
- name: Wait for package to be available on npm
run: |
curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
PACKAGE_NAME=$(jq -r '.name' < package.json)
VERSION="${{ needs.check.outputs.VERSION }}"
# Strip the 'v' prefix for npm
NPM_VERSION="${VERSION#v}"
MAX_ATTEMPTS=30
SLEEP_SECONDS=10

- name: Login to MCP Registry
run: ./mcp-publisher login github-oidc
echo "Waiting for ${PACKAGE_NAME}@${NPM_VERSION} to be available on npm..."

- name: Publish to MCP Registry
run: ./mcp-publisher publish
for i in $(seq 1 $MAX_ATTEMPTS); do
if npm view "${PACKAGE_NAME}@${NPM_VERSION}" version >/dev/null 2>&1; then
echo "✓ Package ${PACKAGE_NAME}@${NPM_VERSION} is now available on npm"
exit 0
fi
echo "Attempt $i/$MAX_ATTEMPTS: Package not yet available, waiting ${SLEEP_SECONDS}s..."
sleep $SLEEP_SECONDS
done

echo "::error::Package ${PACKAGE_NAME}@${NPM_VERSION} did not become available after $((MAX_ATTEMPTS * SLEEP_SECONDS)) seconds"
exit 1

docker-push:
needs: [check, publish]
uses: ./.github/workflows/docker-publish.yml
permissions:
contents: read
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}

mcp-publish:
needs: [check, docker-push]
if: needs.check.outputs.VERSION_EXISTS == 'false'
uses: ./.github/workflows/mcp-publish.yml
permissions:
id-token: write
contents: read