Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions .github/actions/install-mcp-publisher/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,18 @@ description: Download a pinned release of mcp-publisher from the official MCP re

inputs:
version:
description: "mcp-publisher release tag (e.g. v1.5.0). Bump when a new release is needed."
description: "mcp-publisher release tag (e.g. v1.7.6). Bump when a new release is needed."
required: false
default: v1.5.0
# v1.7.6 is required: the registry server in v1.7.6 binds GitHub OIDC
# token exchange to a per-deployment audience
# (registry PR #1229, deployed prod 2026-04-30). Older mcp-publisher
# versions send audience `mcp-registry`, which the new registry rejects
# with a 401: `invalid audience: expected
# https://registry.modelcontextprotocol.io, got [mcp-registry]`. v0.5.1
# release ran with the previous v1.5.0 pin and got bitten — PyPI
# published cleanly but the registry leg failed. v1.7.6 sends the new
# audience and authenticates against the current prod deployment.
default: v1.7.6

runs:
using: composite
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,12 @@ jobs:
# The match string is anchored to the upstream error constant
# `ErrInvalidVersion` in internal/database/database.go:
# "invalid version: cannot publish duplicate version"
# (verified against tag v1.5.0). The publisher surfaces this as
# part of the 400 response body from POST /v0/publish. If the
# upstream error text changes, this step will fall through to
# `exit $status` and fail loudly — preferable to silently
# swallowing a real publish error.
# (verified upstream against the currently-pinned mcp-publisher
# tag in .github/actions/install-mcp-publisher/action.yml). The
# publisher surfaces this as part of the 400 response body from
# POST /v0/publish. If the upstream error text changes, this
# step will fall through to `exit $status` and fail loudly —
# preferable to silently swallowing a real publish error.
set +e
output=$(./mcp-publisher publish 2>&1)
status=$?
Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

## Unreleased

### Fixed

- **publish.yml: bump pinned `mcp-publisher` v1.5.0 → v1.7.6 to match the new registry OIDC audience** (#79) — the v0.5.1 release ran with `mcp-publisher v1.5.0` (the pin in `.github/actions/install-mcp-publisher/action.yml`); PyPI publish succeeded but the `publish-registry` job failed at GitHub OIDC login with `invalid audience: expected https://registry.modelcontextprotocol.io, got [mcp-registry]` (HTTP 401). Root cause: the registry deployed [`modelcontextprotocol/registry#1229`](https://github.com/modelcontextprotocol/registry/pull/1229) ("auth: bind GitHub OIDC token exchange to a per-deployment audience") in `v1.7.6` on 2026-04-30 — one day before our 2026-05-01 release. v1.5.0's `login github-oidc` flow sends audience `mcp-registry`; v1.7.6's flow sends audience `https://registry.modelcontextprotocol.io`, which is what the new registry server validates against. Bumped the action's `default` from `v1.5.0` to `v1.7.6` (and added an explanatory comment so the next bump prompt has the rationale at hand). Re-running the failed `publish-registry` job on the existing v0.5.1 tag won't pick up this fix because `actions/checkout@v6` resolves to the tag's commit; the next release tag will exercise the fix end-to-end. v0.5.1 itself is on PyPI as expected and is the install path users actually hit; the missed registry entry is purely directory metadata.

## 0.5.1 (2026-05-01)

### Fixed
Expand Down