ci: auto-publish to MCP Registry on release via GitHub OIDC

[aliasunder]

What

Adds automated publishing to the official MCP Registry on every release, replacing the manual interactive mcp-publisher login + publish step.

A new reusable workflow publish-registry.yml (workflow_call) runs mcp-publisher publish authenticated with GitHub OIDC, and is invoked by both release paths (auto_release.yml and manual_release.yml) as a publish-registry job that runs after deploy (so the GHCR image referenced in server.json already exists).

Why

Registry publishing was a manual local step, so it got skipped — the live registry entry is stale at v0.15.4 while server.json is at 0.15.9. This keeps the registry in sync with every release automatically. The next release will close the staleness gap in one shot.

How it works

• GitHub OIDC, no secrets. The registry authorizes the io.github.<owner>/* namespace from the OIDC token's repo owner. Since the repo is aliasunder/vault-cortex and the server is io.github.aliasunder/vault-cortex, publishing is authorized with zero secrets — nothing to rotate. (A fork publishing under its own io.github.<user>/... works out of the box too.)
• Correct version, always. The job checks out v${version} — the bumped commit is tagged before deploy/publish run in both paths (auto_release is triggered by the tag; manual_release pushes the tag in bump-and-tag), so the version-matched server.json is what gets published.
• Guard. Fails loudly if server.json .version ≠ the release version, catching any stale-checkout drift before it reaches the registry.
• Pinned tooling. mcp-publisher pinned to v1.2.3 (matching the repo's gitleaks-pinning convention).

Changes

• New: .github/workflows/publish-registry.yml
• Edit: auto_release.yml, manual_release.yml — add the publish-registry job
• Edit: DEPLOY.md — document the auto-publish path + no-secret OIDC

No src changes, no server.json changes, no new secrets, no test impact.

Verification

• Confirmed the CLI flow first-hand against the pinned binary: mcp-publisher login github-oidc is the OIDC auth method; publish reads server.json from cwd.
• Version guard tested both ways against the real server.json (passes at 0.15.9, rejects a mismatch).
• All three workflow files parse; prettier clean.
• End-to-end validation is the next release itself — the publish-registry job will OIDC-auth and publish, surfacing the current version on the live registry.

---

Generated by Claude Code

Summary by CodeRabbit

• Chores

  • Enhanced release pipeline with automated publishing to MCP Registry for all releases.
  • Both automated and manual release workflows now include registry publication as a final step.

• Documentation

  • Updated CI/CD deployment guide to reflect new registry publishing workflow.

[coderabbitai]

Warning

Review limit reached

@aliasunder, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 36 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 76a91e64-09cf-4f4e-ac57-08740aca210d

📥 Commits

Reviewing files that changed from the base of the PR and between 64fb242 and 7ed671c.

📒 Files selected for processing (1)

• .github/workflows/publish-registry.yml

📝 Walkthrough

Walkthrough

This PR introduces automated publishing to the MCP Registry by adding a new reusable publish-registry.yml workflow and integrating it into both release paths. The workflow validates versioning, downloads the mcp-publisher tool, authenticates via GitHub OIDC, and publishes to the registry. Both auto_release.yml and manual_release.yml are updated to invoke this workflow after deployment.

Changes

MCP Registry Publishing Integration

Layer / File(s)	Summary
New publish-registry workflow definition .github/workflows/publish-registry.yml	Defines a reusable workflow with a required version input, GitHub OIDC and read permissions, pins mcp-publisher version, and implements a publish job that checks out the release tag, validates server.json, downloads the binary, authenticates via OIDC, and publishes to MCP Registry.
Integration into release pipelines .github/workflows/auto_release.yml, .github/workflows/manual_release.yml	Both workflows add a publish-registry job that depends on deployment completion and calls the new reusable workflow with the computed release version.
Deployment documentation updates DEPLOY.md	CI/CD section updated to describe the new publishing step in the workflows table, add a publish-registry.yml row, and clarify that MCP Registry publishing is automatic for both release paths.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A registry awaits, the rabbit hops fast,
With OIDC keys and binaries amassed,
Two pipelines now sing in chorus so bright,
Publishing treasures from morning to night! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: introducing automated publishing to the MCP Registry on release using GitHub OIDC, which is the core feature added across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/vault-bootstrap-setup-YNklM

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/publish-registry.yml (1)

47-48: ⚡ Quick win

Add a timeout to the publish step.

Without a timeout, if mcp-publisher publish hangs (network issues, API errors), the workflow will run until the job-level timeout (default 360 minutes). Adding a step-level timeout improves resilience.

⏱️ Proposed fix

       - name: Publish to MCP Registry
+        timeout-minutes: 5
         run: ./mcp-publisher publish

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-registry.yml around lines 47 - 48, The "Publish to
MCP Registry" step currently runs "./mcp-publisher publish" with no step-level
timeout; add a step-level timeout by adding the GitHub Actions step property
`timeout-minutes` to the step named "Publish to MCP Registry" (the step that
runs `./mcp-publisher publish`) with an appropriate value (e.g. 10–30 minutes)
so the workflow fails the step if the command hangs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-registry.yml:
- Around line 23-29: Add the security hardening to the actions/checkout step by
setting persist-credentials: false on the existing actions/checkout@v6
invocation (the block containing ref: v${{ inputs.version }}), so the checkout
does not persist the GITHUB_TOKEN to the working directory; update the checkout
step configuration to include that option alongside the existing ref setting.

---

Nitpick comments:
In @.github/workflows/publish-registry.yml:
- Around line 47-48: The "Publish to MCP Registry" step currently runs
"./mcp-publisher publish" with no step-level timeout; add a step-level timeout
by adding the GitHub Actions step property `timeout-minutes` to the step named
"Publish to MCP Registry" (the step that runs `./mcp-publisher publish`) with an
appropriate value (e.g. 10–30 minutes) so the workflow fails the step if the
command hangs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ee259808-57dd-454b-9479-6a9ab67ff52b

📥 Commits

Reviewing files that changed from the base of the PR and between 12ca8dd and 64fb242.

📒 Files selected for processing (4)

• .github/workflows/auto_release.yml
• .github/workflows/manual_release.yml
• .github/workflows/publish-registry.yml
• DEPLOY.md