[generate_manifest] use mcpm registry bot

[GabrielDrapor]

PR Type

Other

---

Description

• Update GitHub App credentials for MCPM registry bot

---

Diagram Walkthrough

flowchart LR
  A["Old Bot Secrets"] -- "replace with" --> B["MCPM Registry Bot Secrets"]
  B --> C["GitHub App Token Generation"]

Loading

File Walkthrough

	Relevant files
Configuration changes	generate-manifest.yml Update bot credentials to MCPM registry bot                            .github/workflows/generate-manifest.yml Replace BOT_APP_ID with MCPM_REGISTRY_BOT_APP_ID Replace BOT_PRIVATE_KEY with MCPM_REGISTRY_BOT_PRIVATE_KEY +2/-2

---

Summary by CodeRabbit

• Chores
  • Updated CI workflow to source GitHub App tokens from new registry bot secrets, aligning credentials for manifest generation.
  • Maintains existing workflow behavior and downstream steps; only the secret references changed to improve reliability and consistency.
  • No user-facing changes.

[coderabbitai]

Walkthrough

The generate-manifest workflow updates the GitHub App token step to use MCPM_REGISTRY_BOT_APP_ID and MCPM_REGISTRY_BOT_PRIVATE_KEY instead of BOT_APP_ID and BOT_PRIVATE_KEY. All steps and control flow remain unchanged; the generated token continues to be used by the subsequent checkout step.

Changes

Cohort / File(s)	Summary
Workflow secret update .github/workflows/generate-manifest.yml	In "Generate GitHub App token", switched with.app-id and with.private-key from BOT_* to MCPM_REGISTRY_BOT_* secrets; no logic or flow changes.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions (generate-manifest)
  participant App as GitHub App Auth
  participant Repo as Repository

  GH->>App: Generate token using MCPM_REGISTRY_BOT_APP_ID / _PRIVATE_KEY
  App-->>GH: Installation access token
  GH->>Repo: actions/checkout with token
  Repo-->>GH: Sources checked out

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add script and workflow for contributing registry #233: Introduces the generate-manifest workflow; this PR updates its GitHub App secret names.
• [generate_manifest] use GITHUB_TOKEN to create PR & improve commit message #236: Adjusts authentication token usage within the same workflow; related to this PR’s secret updates.

Suggested labels

Review effort 2/5, Possible security concern

Poem

A key swap in the midnight run,
New secrets greet the dawning sun.
I twitch my ears—no steps askew,
The token hops from old to new.
Commits checked out, the burrow bright—
Hippity-hop, the workflow’s right. 🐇🔐

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Jiarui/smart-registry-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Secret Names Verify that repository/org secrets MCPM_REGISTRY_BOT_APP_ID and MCPM_REGISTRY_BOT_PRIVATE_KEY exist and are correctly scoped; otherwise the token generation step will fail at runtime. app-id: ${{ secrets.MCPM_REGISTRY_BOT_APP_ID }} private-key: ${{ secrets.MCPM_REGISTRY_BOT_PRIVATE_KEY }} App Permissions Confirm the MCPM registry GitHub App has permissions matching the workflow needs (contents: write, pull-requests: write); different app may require updating the app’s permission settings or workflow permissions. permissions: contents: write pull-requests: write

[qodo-merge-pro]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: codex

Failed stage: Run Codex [❌]

Failure summary: The workflow explicitly exited with code 1 because the qodo-merge-pro[bot] user does not have sufficient repository permissions. - The script fetched the bot's permission via gh api "/repos/${GITHUB_REPOSITORY}/collaborators/qodo-merge-pro[bot]/permission" | jq -r '.permission'. - It then checked: if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "write" ]]; then exit 1; fi. - Since the process exited with code 1, the resolved permission was neither admin nor write (likely read or none), causing the job to fail.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 116: ##[endgroup] 117: ##[group]Run set -euo pipefail 118: �[36;1mset -euo pipefail�[0m 119: �[36;1m�[0m 120: �[36;1mPERMISSION=$(gh api \�[0m 121: �[36;1m "/repos/${GITHUB_REPOSITORY}/collaborators/qodo-merge-pro[bot]/permission" \�[0m 122: �[36;1m | jq -r '.permission')�[0m 123: �[36;1m�[0m 124: �[36;1mif [[ "$PERMISSION" != "admin" && "$PERMISSION" != "write" ]]; then�[0m 125: �[36;1m exit 1�[0m 126: �[36;1mfi�[0m 127: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 128: env: 129: GH_TOKEN: *** 130: ##[endgroup] 131: ##[error]Process completed with exit code 1. 132: Post job cleanup.

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Verify secrets availability and scope Ensure the new secrets exist in the repository or organization settings and have correct permissions for this workflow. If these are org-level secrets, verify the workflow has access from this repo; otherwise, the token step will fail at runtime. .github/workflows/generate-manifest.yml [24-26] +with: + app-id: ${{ secrets.MCPM_REGISTRY_BOT_APP_ID }} + private-key: ${{ secrets.MCPM_REGISTRY_BOT_PRIVATE_KEY }} - Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly prompts the user to verify that the new secrets (MCPM_REGISTRY_BOT_APP_ID and MCPM_REGISTRY_BOT_PRIVATE_KEY) are configured correctly, which is crucial for the workflow's successful execution.	Medium
More

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/generate-manifest.yml (4)

25-26: Switched to MCPM_REGISTRY_BOT_ secrets — looks good; verify app installation and secret presence.*

The change correctly points the token generation to the registry bot secrets. Ensure:

• The GitHub App (registry bot) is installed on this repo with contents:write and pull-requests:write.
• The repository/org has both secrets set: MCPM_REGISTRY_BOT_APP_ID and MCPM_REGISTRY_BOT_PRIVATE_KEY.

This avoids runtime 401/403s on checkout and PR creation.

I can provide a quick checklist or a dry-run step to fail early if these secrets are missing. Want me to add that?

---

34-41: Upgrade setup-python and enable pip cache for faster, more reliable runs.

Move to the latest major for actions/setup-python and cache pip packages to speed up repeated runs.

Apply this diff:

-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'

---

13-19: Add a concurrency group to prevent branch collisions on simultaneous requests.

If two events target the same repo_url concurrently, both will try to push the same branch (add-manifest-...). Use a concurrency group keyed by the target repo URL to serialize runs.

Proposed addition (at the job level):

 jobs:
   generate-manifest:
     runs-on: ubuntu-latest
+    concurrency:
+      group: generate-manifest-${{ github.event.inputs.repo_url || github.event.client_payload.repo_url }}
+      cancel-in-progress: true
     permissions:
       contents: write
       pull-requests: write

---

43-49: Confirm the ANYON_API_KEY secret is available and not logged by the script.

The step relies on secrets.ANYON_API_KEY. Make sure it exists in repo/org secrets and that scripts/get_manifest.py does not echo it (directly or via verbose HTTP logging).

I can scan the repo for potential leaks (e.g., print statements, logging config) and propose guards if you’d like.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d2e10e2 and db607ff.

📒 Files selected for processing (1)

• .github/workflows/generate-manifest.yml (1 hunks)

[mcpm-semantic-release]

🎉 This PR is included in version 2.7.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀