ci(mcp-registry): auto-publish to the official MCP Registry via GitHub OIDC

[johnxie]

"Set once, never touch again" — registers io.github.taskade/mcp-server in the official MCP Registry automatically, with no secrets (GitHub OIDC).

Why

The MCP Registry is the canonical index other directories sync from (PulseMCP flips its temporary mirror to the real entry; Glama / mcp.so refresh). Today Taskade isn't in it. This makes registration automatic and self-maintaining.

How it works

• Trigger: the @taskade/mcp-server@* tag that changesets pushes right after a successful npm publish (so the npm version always exists before we register it), plus workflow_dispatch for manual runs.
• Auth: mcp-publisher login github-oidc — OIDC, so no PAT/secret is stored. io.github.taskade/* is authorized because the workflow runs in a repo under the taskade org.
• Self-healing version: a step syncs packages/server/server.json → package.json version at publish time, so server.json can never drift out of sync with npm again (the registry rejects a version that isn't published).

Sequencing with the other PR

• chore(server): bump server.json to 0.0.3 to match published npm version #35 bumps the committed server.json to 0.0.3 (fixes the repo + enables a manual publish today).
• This PR keeps it in sync automatically on every future release.

To go live now (after merging both)

Click Actions → Publish to MCP Registry → Run workflow once to register the current 0.0.3. Every release after that publishes itself.

Verification

• ✅ permissions: id-token: write (required for OIDC), contents: read
• ✅ Decoupled — does not modify the existing release.yml pipeline or its permissions
• ✅ mcp-publisher install pinned to the official modelcontextprotocol/registry releases
• ✅ npm package already carries mcpName: io.github.taskade/mcp-server

Refs: official OIDC publishing guide — https://modelcontextprotocol.io/registry/quickstart

[changeset-bot]

⚠️ No Changeset found

Latest commit: b86213f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Adds a dedicated GitHub Actions workflow to publish io.github.taskade/mcp-server to the official MCP Registry using GitHub OIDC (no stored secrets), intended to run automatically on release tags and manually via workflow dispatch.

Changes:

• Introduces .github/workflows/publish-mcp-registry.yml to publish to the MCP Registry on @taskade/mcp-server@* tags or manual runs.
• Adds a step intended to keep packages/server/server.json version aligned at publish time.
• Downloads and installs mcp-publisher, authenticates via GitHub OIDC, then runs mcp-publisher publish.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[johnxie]

cc @deanzaka @lxcid — context for review 👇

Adds a decoupled workflow (.github/workflows/publish-mcp-registry.yml) that publishes io.github.taskade/mcp-server to the official MCP Registry via GitHub OIDC — no secrets. It does not touch release.yml or its permissions.

How it behaves:

• Trigger: the @taskade/mcp-server@* tag that changesets pushes right after a successful npm publish (so the npm version always exists before we register it), plus workflow_dispatch for manual runs.
• Self-healing version: a step syncs packages/server/server.json → package.json version at publish time, so server.json can never drift out of sync with npm again.
• Auth: mcp-publisher login github-oidc — authorized for io.github.taskade/* because the workflow runs under the taskade org.

Review notes: permissions: { id-token: write, contents: read }; mcp-publisher pinned to the official modelcontextprotocol/registry releases. After merging this + #35, click Run workflow once to register the current 0.0.3; every release after that self-publishes.

[johnxie]

✅ Validated → hardened → merging (supersedes #39)

This design is better than #39 (registry step inside release.yml) on every axis Copilot flagged there:

Concern (from #39 review)	This PR
id-token: write granted to the whole release job	✅ isolated in its own workflow, contents: read only
registry failure would red the npm release pipeline	✅ separate workflow — npm publish can never be blocked
no manual escape hatch	✅ workflow_dispatch for (re)publish
server.json version drift	✅ auto-synced from package.json at publish time
unpinned releases/latest download	✅ fixed here: pinned v1.7.9 + curl -fsSL + tar -xz -f - + set -euo pipefail (URL verified → 200)

QA: YAML valid; sync one-liner tested locally (server.json → 0.0.3); pinned asset resolves.

Caveat (noted, not blocking): the tag trigger assumes the release pushes @taskade/mcp-server@* tags. The current release.yml runs yarn run publish directly (not via changesets/action's publish: input), which creates tags locally but may not push them — if the tag trigger doesn't fire on the next release, the workflow_dispatch path covers it and we can add a git push --follow-tags follow-up.

Plan: merge → merge release PR #49 (npm 0.0.4) → manually dispatch this workflow → verify registry.modelcontextprotocol.io listing.