fix(ci): assert McpServer packageType + embedded .mcp/server.json in packed nupkg#996
Merged
Merged
Conversation
…packed nupkg The "Verify package contents" step only size-checked the .nupkg, so a csproj regression dropping <PackageType>McpServer</PackageType> or the .mcp/server.json embed would still pass on green CI and ship a tool-only package — silently delisting the package from the NuGet MCP gallery. Unzip the packed .nupkg (it is a ZIP), read the embedded .nuspec, and fail closed unless it contains <packageType name="McpServer" /> AND the archive holds a .mcp/server.json entry. The archive handle is disposed in a finally. Additive to the existing size-check; the workflow is otherwise unchanged. Verified locally (publish-nuget.yml does not run on PRs): a clean build+pack passes both assertions; deleting either csproj line and re-packing makes the step throw (red), then reverted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Code-quality review nit: the StreamReader on the nuspec entry used a bare Dispose() outside try/finally — a throw from ReadToEnd() would leak it (bounded by CI process exit, but tighten it). Wrap the read in try/finally. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…fragment Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes backlog row
publish-nuget-verify-package-types(Medium, top-n-remediation).Problem
publish-nuget.yml's "Verify package contents" step only size-checked the.nupkg. A csproj regression dropping<PackageType>McpServer</PackageType>or the.mcp/server.json<None Include>embed would ship a tool-only package on green CI — silently delisting from the NuGet MCP gallery.eng/verify-version-drift.ps1guards the manifest version but not its presence/type in the package.Fix
Extend the verify step (additive) to open the
.nupkgas a ZIP and assert:<packageType name="McpServer" />, and.mcp/server.jsonexists.throw(fail the run) on either miss.ZipArchivedisposed intry/finally; the nuspecStreamReaderreads inside its owntry/finally.Validation
publish-nuget.ymlonly runs on release/dispatch, so the PR's CI does not exercise it — proven locally instead:Darylmcd.RoslynMcp.2.3.5.nupkg); assertions found<packageType name="McpServer" />(verbatim packed shape) + the.mcp/server.jsonentry → exit 0.missing <packageType name=McpServer>/missing .mcp/server.json embed); csproj reverted afterward (unmodified in this diff).Scope: 1 workflow file (size S). Spec-compliance PASS; code-quality PASS (low disposal nit fixed in-PR).