docs: add optional hardening example for downstream servers

[aak204]

Description

This docs-only PR adds a small optional CI hardening example for downstream MCP servers built with mcp-go.

Fixes #<issue_number> (if applicable)

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• MCP spec compatibility implementation
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring (no functional changes)
• Performance improvement
• Tests only (no functional changes)
• Other (please describe):

Checklist

• My code follows the code style of this project
• I have performed a self-review of my own code
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly

Additional Information

• optional example for downstream repos only
• does not modify this repository's workflows or code
• the action reference is pinned to an immutable commit SHA
• tests are not applicable because this change only updates the README
• example tool: https://github.com/aak204/MCP-Trust-Kit

Summary by CodeRabbit

• Documentation
  • Added optional CI hardening guidance for downstream servers using a manually-triggered GitHub Actions workflow.
  • Included a sample workflow snippet showing how to run security checks and generate SARIF output that downstream repositories can upload via existing code scanning.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3daf1439-b044-42bb-8c8f-df8b85b30658

📥 Commits

Reviewing files that changed from the base of the PR and between 5950c7e and 73e0dd0.

📒 Files selected for processing (1)

• README.md

✅ Files skipped from review due to trivial changes (1)

• README.md

---

Walkthrough

Added a new README section "Optional CI hardening for downstream servers" that provides a manually-triggered GitHub Actions workflow snippet to run the MCP Trust Kit against an mcp-go server and emit SARIF output for code scanning.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added "Optional CI hardening for downstream servers" section with a workflow_dispatch GitHub Actions snippet that checks out the repo, sets up Go from go.mod, runs aak204/MCP-Trust-Kit against go run ./cmd/your-server, and writes SARIF to mcp-trust.sarif.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

documentation

Suggested reviewers

• robert-jackson-glean
• alexandear
• ezynda3

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an optional hardening example for downstream servers in documentation.
Description check	✅ Passed	The description follows the template structure, correctly identifies the change type as documentation update, completes all applicable checklist items, and provides relevant additional context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

README.md (1)

664-669: Pin third-party actions to immutable commit SHAs in this hardening example.

For a hardening-focused snippet, Line 668 should use a full commit SHA instead of the mutable tag (@v0.4.0) to prevent supply-chain drift. GitHub's official security guidance recommends full-length commit SHAs as the only immutable reference method for actions.

Suggested fix

-      - uses: aak204/MCP-Trust-Kit@v0.4.0
+      - uses: aak204/MCP-Trust-Kit@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 664 - 669, Replace the mutable action tag
"aak204/MCP-Trust-Kit@v0.4.0" with an immutable full commit SHA; locate the
workflow step using the "uses: aak204/MCP-Trust-Kit@v0.4.0" entry and update it
to "uses: aak204/MCP-Trust-Kit@<full-commit-sha>" (obtain the full commit SHA
from the action repository) so the action reference is pinned to a specific
immutable commit.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@README.md`:
- Around line 664-669: Replace the mutable action tag
"aak204/MCP-Trust-Kit@v0.4.0" with an immutable full commit SHA; locate the
workflow step using the "uses: aak204/MCP-Trust-Kit@v0.4.0" entry and update it
to "uses: aak204/MCP-Trust-Kit@<full-commit-sha>" (obtain the full commit SHA
from the action repository) so the action reference is pinned to a specific
immutable commit.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 13e5ae11-ef2c-4665-aa9b-d8349f1fa0b8

📥 Commits

Reviewing files that changed from the base of the PR and between 4713d74 and 5950c7e.

📒 Files selected for processing (1)

• README.md