ci: publish to the MCP Registry via GitHub OIDC on each release#32
Conversation
The registry authorizes io.github.block/* through the repository's own OIDC identity, so publishing runs in CI rather than from a maintainer laptop (which would require public org membership). The workflow syncs server.json to the pyproject version, waits for the release to be visible on PyPI (the registry validates the package and its mcp-name ownership marker there), then publishes. workflow_dispatch is included for the initial publish and manual re-runs. Also trims the server.json description to the registry's 100-char limit, which the first manual publish attempt surfaced. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Vignesh Narayanaswamy <Vigneshn@squareup.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 388124d085
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| release: | ||
| types: [published] |
There was a problem hiding this comment.
Serialize MCP publish after PyPI upload
When a release is published, this new workflow starts from the same release.published event as .github/workflows/release.yml, but that separate release job only uploads the distribution to PyPI at its final step. If the release job is queued behind this job or takes more than this workflow's five-minute PyPI polling window, the MCP publish fails even though the package would publish successfully shortly afterward; the MCP publish should run after the PyPI publish step/job rather than racing it from an independent workflow trigger.
Useful? React with 👍 / 👎.
Adds
.github/workflows/publish-mcp.yml: on each published release (or manual dispatch), syncsserver.jsonto the pyproject version, waits for PyPI to serve that version (the registry validates the package +mcp-namemarker there), authenticates via GitHub OIDC as this repository, and publishesio.github.block/model-ledger.OIDC is the recommended auth path and avoids requiring maintainers to hold public org membership. Also trims the
server.jsondescription to the registry's 100-char limit (surfaced by the first manual publish attempt).🤖 Generated with Claude Code