ci(release): switch npm publishing to OIDC trusted publishing#4466
Draft
cliffhall wants to merge 1 commit into
Draft
ci(release): switch npm publishing to OIDC trusted publishing#4466cliffhall wants to merge 1 commit into
cliffhall wants to merge 1 commit into
Conversation
The NPM_TOKEN used by publish-npm is dead (npm classic-token sunset) — both June release attempts failed publishing with a disguised auth error (E404 on the publish PUT) after PyPI legs succeeded. Each @modelcontextprotocol/* package's npm trusted publisher is being bound to this workflow (release.yml) + the release environment, so publish-npm now authenticates via OIDC instead of a token: - add id-token: write permission to publish-npm (required to mint the OIDC token; contents: read added explicitly since setting permissions drops the defaults) - upgrade the npm CLI in the publish job (trusted publishing requires npm >= 11.5.1; Node 22 bundles an older npm) - drop NODE_AUTH_TOKEN from the publish step Also touch each TypeScript server's README (add everything's missing License section; link each package's npm page) so scripts/release.py includes all four packages in the next npm publish matrix — they've been stranded on npm at 2026.1.26 while PyPI advanced to 2026.6.16. See #4463 for the rollout plan. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 of #4463: make
release.yml's npm publishing work via trusted publishing (OIDC) instead of the deadNPM_TOKEN, and nudge all four TypeScript packages into the next release matrix.Both June release attempts (26882432128, 27626321345) published to PyPI but failed every npm leg with a disguised auth error (
E404on the publish PUT) — the token is expired and non-refreshable. Each@modelcontextprotocol/*package's npm trusted publisher is being registered against this workflow (release.yml) + thereleaseenvironment, so the workflow must authenticate via OIDC.Changes
.github/workflows/release.yml(publish-npmjob):permissions: id-token: write(required to mint the OIDC token;contents: readadded explicitly since settingpermissionsdrops defaults)NODE_AUTH_TOKENfrom the publish stepREADME touch in each TypeScript server so
scripts/release.pyincludes all four in the next npm matrix (they're stranded on npm at2026.1.26while PyPI advanced to2026.6.16):everything: add the License section the other three servers already havefilesystem/memory/sequential-thinking: link the package's npm page under the introMerging is publish-safe
Merging this PR publishes nothing. Publishing only happens when a
release-environment deployment is approved on arelease.ymlrun (cron runs queue daily but sit awaiting approval). The actual release will be dispatched deliberately once the npm trusted-publisher registrations are complete for all four packages.If a package's trusted publisher isn't registered by then, its matrix leg fails alone (
fail-fast: false) and catches up in a later release.Prerequisites before dispatching the release (not part of this PR)
server-everything,server-memory,server-filesystem,server-sequential-thinking(workflowrelease.yml, environmentrelease)NPM_TOKENsecretPart of #4463.
🤖 Generated with Claude Code
https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG