From 22f7d6447a7adcc478f3e90dae22d32b7108c341 Mon Sep 17 00:00:00 2001
From: Peter van Liesdonk <peter@liesdonk.nl>
Date: Sun, 3 May 2026 13:57:43 +0200
Subject: [PATCH] fix(release): bump mcp-publisher to v1.7.6 for new OIDC
 audience

The MCP Registry tightened OIDC token-exchange audience validation in
modelcontextprotocol/registry#1229 (merged 2026-04-30): production now
expects audience `https://registry.modelcontextprotocol.io`.  Publisher
v1.5.0 still requests `mcp-registry` and fails with HTTP 401.

v1.7.x is the first publisher release that requests the per-deployment
audience the registry requires.  Bumping pin + SHA-256.

Closes #101
---
 .github/workflows/release.yml.jinja | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml.jinja b/.github/workflows/release.yml.jinja
index 1af9fe6..7beaeef 100644
--- a/.github/workflows/release.yml.jinja
+++ b/.github/workflows/release.yml.jinja
@@ -405,8 +405,13 @@ jobs:
 
       - name: Install mcp-publisher
         env:
-          MCP_PUBLISHER_VERSION: v1.5.0
-          MCP_PUBLISHER_SHA256: 79bbb73ba048c5906034f73ef6286d7763bd53cf368ea0b358fc593ed360cbd5
+          # v1.7.x is the first that requests the per-deployment OIDC audience
+          # the registry now requires (PR modelcontextprotocol/registry#1229,
+          # merged 2026-04-30 — production registry expects audience
+          # `https://registry.modelcontextprotocol.io`; v1.5.0 still requests
+          # `mcp-registry` and fails token exchange with HTTP 401).
+          MCP_PUBLISHER_VERSION: v1.7.6
+          MCP_PUBLISHER_SHA256: bcc96ca630cae4cf503b4550bd4a17462d42ad4819273bee56f4385bb059ddee
         run: |
           curl -sL "https://github.com/modelcontextprotocol/registry/releases/download/${MCP_PUBLISHER_VERSION}/mcp-publisher_linux_amd64.tar.gz" -o mcp-publisher.tar.gz
           echo "${MCP_PUBLISHER_SHA256}  mcp-publisher.tar.gz" | sha256sum -c