-
-
Notifications
You must be signed in to change notification settings - Fork 0
155 lines (130 loc) · 5.92 KB
/
release.yml
File metadata and controls
155 lines (130 loc) · 5.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Release
on:
push:
tags:
- 'v*'
permissions: {} # Restrict default token permissions
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write # Required for keyless signing with Cosign
attestations: write # Required for GitHub attestations
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: Verify and prepare Go modules
run: |
go mod download
go mod verify
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Login to GitHub Container Registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Install Syft
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- name: Verify Homebrew tap token
env:
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
run: |
if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
echo "ERROR: HOMEBREW_TAP_TOKEN secret is not set!"
exit 1
fi
echo "Token is set (length: ${#HOMEBREW_TAP_TOKEN} chars)"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $HOMEBREW_TAP_TOKEN" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/txn2/homebrew-tap")
echo "API response code: $HTTP_CODE"
if [ "$HTTP_CODE" != "200" ]; then
echo "ERROR: Token cannot access txn2/homebrew-tap (HTTP $HTTP_CODE)"
exit 1
fi
echo "Token verified - can access homebrew-tap"
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
with:
distribution: goreleaser
version: "~> v2.13"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
- name: Build MCPB bundles
run: |
# Extract version from tag (remove 'v' prefix)
VERSION="${GITHUB_REF_NAME#v}"
./mcpb/build.sh "$VERSION" --use-dist
- name: Sign MCPB bundles with Cosign
run: |
for mcpb in dist/mcpb/*.mcpb; do
echo "Signing $mcpb..."
cosign sign-blob --yes \
--bundle="${mcpb}.sigstore.json" \
"$mcpb"
done
- name: Upload MCPB bundles to release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Upload each .mcpb file and its signature to the release
for mcpb in dist/mcpb/*.mcpb; do
echo "Uploading $mcpb..."
gh release upload "$GITHUB_REF_NAME" "$mcpb" --clobber
gh release upload "$GITHUB_REF_NAME" "${mcpb}.sigstore.json" --clobber
done
- name: Publish release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "$GITHUB_REF_NAME" --draft=false
- name: Install mcp-publisher
run: |
curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" | tar xz
sudo mv mcp-publisher /usr/local/bin/
- name: Prepare server.json for MCP Registry
run: |
VERSION="${GITHUB_REF_NAME#v}"
# Calculate SHA-256 hashes for each MCPB bundle (using underscore naming convention)
SHA_DARWIN_ARM64=$(sha256sum dist/mcpb/mcp-datahub_${VERSION}_darwin_arm64.mcpb | cut -d' ' -f1)
SHA_DARWIN_AMD64=$(sha256sum dist/mcpb/mcp-datahub_${VERSION}_darwin_amd64.mcpb | cut -d' ' -f1)
SHA_WINDOWS_AMD64=$(sha256sum dist/mcpb/mcp-datahub_${VERSION}_windows_amd64.mcpb | cut -d' ' -f1)
# Update server.json with version and SHA-256 hashes
sed -i "s/0.0.0/${VERSION}/g" server.json
sed -i "s/mcp-datahub_0.0.0_darwin_arm64.mcpb/mcp-datahub_${VERSION}_darwin_arm64.mcpb/" server.json
sed -i "s/mcp-datahub_0.0.0_darwin_amd64.mcpb/mcp-datahub_${VERSION}_darwin_amd64.mcpb/" server.json
sed -i "s/mcp-datahub_0.0.0_windows_amd64.mcpb/mcp-datahub_${VERSION}_windows_amd64.mcpb/" server.json
# Replace placeholder hashes (in order: arm64, amd64, windows)
sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_DARWIN_ARM64}/}" server.json
sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_DARWIN_AMD64}/}" server.json
sed -i "0,/PLACEHOLDER_SHA256/{s/PLACEHOLDER_SHA256/${SHA_WINDOWS_AMD64}/}" server.json
echo "Updated server.json:"
cat server.json
- name: Publish to MCP Registry
continue-on-error: true # Don't fail if version already exists
run: |
# Login using GitHub OIDC (id-token: write permission required)
mcp-publisher login github-oidc
# Publish the server to the MCP registry
mcp-publisher publish
# NOTE: SLSA provenance job removed due to false positive "private repository" detection
# See: https://github.com/slsa-framework/slsa-github-generator/issues
# The workflow incorrectly detects public repos as private and halts.
# Re-add when the upstream bug is fixed.