Restore OIDC prompt=none silent SSO with login_required fallback (#58) #31
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: {} # Restrict default token permissions | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write # Required for keyless signing with Cosign | |
| attestations: write # Required for GitHub attestations | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify and prepare Go modules | |
| run: | | |
| go mod download | |
| go mod verify | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@62ad5284b8ced813296287a0b63906cb364b73ee # v0.22.0 | |
| - name: Verify Homebrew tap token | |
| env: | |
| HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| run: | | |
| if [ -z "$HOMEBREW_TAP_TOKEN" ]; then | |
| echo "ERROR: HOMEBREW_TAP_TOKEN secret is not set!" | |
| exit 1 | |
| fi | |
| echo "Token is set (length: ${#HOMEBREW_TAP_TOKEN} chars)" | |
| # Test API access to homebrew-tap | |
| HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ | |
| -H "Authorization: Bearer $HOMEBREW_TAP_TOKEN" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/txn2/homebrew-tap") | |
| echo "API response code: $HTTP_CODE" | |
| if [ "$HTTP_CODE" != "200" ]; then | |
| echo "ERROR: Token cannot access txn2/homebrew-tap (HTTP $HTTP_CODE)" | |
| exit 1 | |
| fi | |
| echo "Token verified - can access homebrew-tap" | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 | |
| with: | |
| distribution: goreleaser | |
| version: "~> v2.13" | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| - name: Build MCPB bundles | |
| run: | | |
| # Extract version from tag (remove 'v' prefix) | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| ./mcpb/build.sh "$VERSION" --use-dist | |
| - name: Sign MCPB bundles with Cosign | |
| run: | | |
| for mcpb in dist/mcpb/*.mcpb; do | |
| echo "Signing $mcpb..." | |
| cosign sign-blob --yes \ | |
| --bundle="${mcpb}.sigstore.json" \ | |
| "$mcpb" | |
| done | |
| - name: Upload MCPB bundles to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Upload each .mcpb file and its signature to the release | |
| for mcpb in dist/mcpb/*.mcpb; do | |
| echo "Uploading $mcpb..." | |
| gh release upload "$GITHUB_REF_NAME" "$mcpb" --clobber | |
| gh release upload "$GITHUB_REF_NAME" "${mcpb}.sigstore.json" --clobber | |
| done | |
| - name: Install mcp-publisher | |
| run: | | |
| curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz | |
| sudo mv mcp-publisher /usr/local/bin/ | |
| - name: Prepare server.json for MCP Registry | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| # Calculate SHA-256 hashes for each MCPB bundle (using underscore naming convention) | |
| SHA_DARWIN_ARM64=$(sha256sum dist/mcpb/mcp-data-platform_${VERSION}_darwin_arm64.mcpb | cut -d' ' -f1) | |
| SHA_DARWIN_AMD64=$(sha256sum dist/mcpb/mcp-data-platform_${VERSION}_darwin_amd64.mcpb | cut -d' ' -f1) | |
| SHA_WINDOWS_AMD64=$(sha256sum dist/mcpb/mcp-data-platform_${VERSION}_windows_amd64.mcpb | cut -d' ' -f1) | |
| # Update server.json with version and SHA-256 hashes | |
| sed -i "s/0.0.0/${VERSION}/g" server.json | |
| sed -i "s/mcp-data-platform_0.0.0_darwin_arm64.mcpb/mcp-data-platform_${VERSION}_darwin_arm64.mcpb/" server.json | |
| sed -i "s/mcp-data-platform_0.0.0_darwin_amd64.mcpb/mcp-data-platform_${VERSION}_darwin_amd64.mcpb/" server.json | |
| sed -i "s/mcp-data-platform_0.0.0_windows_amd64.mcpb/mcp-data-platform_${VERSION}_windows_amd64.mcpb/" server.json | |
| # Replace placeholder hashes (in order: arm64, amd64, windows) | |
| sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_DARWIN_ARM64}/}" server.json | |
| sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_DARWIN_AMD64}/}" server.json | |
| sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_WINDOWS_AMD64}/}" server.json | |
| echo "Updated server.json:" | |
| cat server.json | |
| - name: Publish to MCP Registry | |
| continue-on-error: true # Don't fail if version already exists | |
| run: | | |
| # Login using GitHub OIDC (id-token: write permission required) | |
| mcp-publisher login github-oidc | |
| # Publish the server to the MCP registry | |
| mcp-publisher publish | |
| # NOTE: SLSA provenance job removed due to false positive "private repository" detection | |
| # See: https://github.com/slsa-framework/slsa-github-generator/issues | |
| # The workflow incorrectly detects public repos as private and halts. | |
| # Re-add when the upstream bug is fixed. |