feat: add MCP Registry publishing step with OIDC support (#321)

subomi · claude · web-flow · commit 466a01c3da64 · 2026-03-27T19:14:06.000Z
* feat: add MCP Registry publishing step with OIDC support

Add publish-mcp-registry job to sdk-publish.yaml that runs after npm
publish. Supports three auth methods: github-oidc (recommended, tokenless),
github (PAT), and dns (private key). Job requests id-token: write
permission for OIDC. Installs mcp-publisher CLI, authenticates, and
publishes server.json to the official MCP Registry.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* chore: bump sdk-gen-config to v1.57.0 for MCPRegistry support

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/sdk-publish.yaml b/.github/workflows/sdk-publish.yaml
@@ -102,6 +102,9 @@ on:
       nuget_api_key:
         description: The api key for publishing to Nuget
         required: false
+      mcp_registry_token:
+        description: Authentication token for publishing to the MCP Registry. For GitHub auth, a GitHub token. For DNS auth, the Ed25519 private key.
+        required: false
     outputs:
       python_regenerated:
         description: Whether the Python SDK was regenerated
@@ -170,6 +173,8 @@ jobs:
       swift_directory: ${{ steps.release.outputs.swift_directory }}
       use_sonatype_legacy: ${{ steps.release.outputs.use_sonatype_legacy }}
       mcp_release_typescript: ${{ steps.release.outputs.mcp_release_typescript }}
+      publish_mcp_registry: ${{ steps.release.outputs.publish_mcp_registry }}
+      mcp_registry_auth: ${{ steps.release.outputs.mcp_registry_auth }}
       use_pypi_trusted_publishing: ${{ steps.release.outputs.use_pypi_trusted_publishing }}
     steps:
       - name: Checkout sdk-generation-action repository
@@ -550,6 +555,50 @@ jobs:
           GH_ACTION_VERSION: 6cd5ba5c0f635337847068ad8410ca9a8651e175
           GH_ACTION_STEP: ${{ github.job }}
           TARGET_TYPE: "mcp"
+  publish-mcp-registry:
+    if: ${{ needs.release.outputs.publish_mcp_registry == 'true' && needs.publish-npm-mcp.result == 'success' }}
+    name: Publish to MCP Registry
+    runs-on: ${{ ((startsWith(inputs.runs-on, '[') || startsWith(inputs.runs-on, '{') || startsWith(inputs.runs-on, '"')) && fromJSON(inputs.runs-on)) || inputs.runs-on }}
+    permissions:
+      id-token: write # Required for github-oidc authentication
+      contents: read
+    needs:
+      - release
+      - publish-npm-mcp
+    defaults:
+      run:
+        working-directory: ${{ needs.release.outputs.mcp_typescript_directory }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install mcp-publisher
+        run: |
+          OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+          ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+          curl -sL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_${OS}_${ARCH}.tar.gz" | tar xz mcp-publisher
+          sudo mv mcp-publisher /usr/local/bin/
+      - name: Authenticate with MCP Registry
+        env:
+          MCP_REGISTRY_TOKEN: ${{ secrets.mcp_registry_token }}
+          MCP_REGISTRY_AUTH: ${{ needs.release.outputs.mcp_registry_auth }}
+        run: |
+          case "$MCP_REGISTRY_AUTH" in
+            github-oidc)
+              mcp-publisher login github-oidc
+              ;;
+            github)
+              mcp-publisher login github --token "$MCP_REGISTRY_TOKEN"
+              ;;
+            dns)
+              # Extract domain from server name in server.json (e.g., "com.example/server" -> "example.com")
+              SERVER_NAME=$(jq -r '.name' server.json)
+              NAMESPACE=${SERVER_NAME%%/*}
+              # Reverse DNS to domain: com.example -> example.com
+              DOMAIN=$(echo "$NAMESPACE" | awk -F. '{for(i=NF;i>0;i--) printf "%s%s",$i,(i>1?".":"")}')
+              mcp-publisher login dns --domain "$DOMAIN" --private-key "$MCP_REGISTRY_TOKEN"
+              ;;
+          esac
+      - name: Publish to MCP Registry
+        run: mcp-publisher publish
   publish-java:
     if: ${{ needs.release.outputs.java_regenerated == 'true' && needs.release.outputs.publish_java == 'true' }}
     name: Publish Java SDK
diff --git a/action.yml b/action.yml
@@ -153,6 +153,8 @@ outputs:
     description: "Whether the CLI target will be published"
   publish_mcp_typescript:
     description: "Whether the MCP Typescript target will be published to NPM"
+  publish_mcp_registry:
+    description: "Whether the MCP Typescript target will be published to the MCP Registry"
   cli_regenerated:
     description: "true if the CLI target was regenerated"
   cli_directory:
diff --git a/go.mod b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/pb33f/libopenapi v0.15.14
 	github.com/pkg/errors v0.9.1
 	github.com/speakeasy-api/git-diff-parser v0.0.3
-	github.com/speakeasy-api/sdk-gen-config v1.56.0
+	github.com/speakeasy-api/sdk-gen-config v1.57.0
 	github.com/speakeasy-api/speakeasy-client-sdk-go/v3 v3.15.4
 	github.com/speakeasy-api/versioning-reports v0.6.1
 	github.com/stretchr/testify v1.11.1
diff --git a/go.sum b/go.sum
@@ -146,8 +146,8 @@ github.com/speakeasy-api/git-diff-parser v0.0.3 h1:LL12d+HMtSyj6O/hQqIn/lgDPYI6c
 github.com/speakeasy-api/git-diff-parser v0.0.3/go.mod h1:P46HmmVVmwA9P8h2wa0fDpmRM8/grbVQ+uKhWDtpkIY=
 github.com/speakeasy-api/openapi v1.6.4 h1:WLoZYEK9xZQVb2JNkbXWS0HBwHYQ3GNqf+8Q3E/kXmA=
 github.com/speakeasy-api/openapi v1.6.4/go.mod h1:fy+CvRcKj+HDU0QNdnyG6UkfJOEjhqCuNC7o4AtLPAk=
-github.com/speakeasy-api/sdk-gen-config v1.56.0 h1:1tVW8mV/7o9/iFwHd7cGGZ7UCxCcU12QN9zOMwb/zCI=
-github.com/speakeasy-api/sdk-gen-config v1.56.0/go.mod h1:kD0NPNX5yaG4j+dcCpLL0hHKQbFk6X93obp+v1XlK5E=
+github.com/speakeasy-api/sdk-gen-config v1.57.0 h1:JQ2XcDbZkmYZhsQoQ9BH9TJR4KiO1uN+GVOOc0EGMA8=
+github.com/speakeasy-api/sdk-gen-config v1.57.0/go.mod h1:kD0NPNX5yaG4j+dcCpLL0hHKQbFk6X93obp+v1XlK5E=
 github.com/speakeasy-api/speakeasy-client-sdk-go/v3 v3.15.4 h1:lPVNakwHrrRWRaNIdIHE6BK7RI6B/jpdwbtvI/xPEYo=
 github.com/speakeasy-api/speakeasy-client-sdk-go/v3 v3.15.4/go.mod h1:b4fiZ1Wid0JHwwiYqhaPifDwjmC15uiN7A8Cmid+9kw=
 github.com/speakeasy-api/versioning-reports v0.6.1 h1:pvuvA1IFO7PVlpdFh7J2Y3hENDzhISFdNy0NVg/Cxb4=
diff --git a/internal/run/run.go b/internal/run/run.go
@@ -368,4 +368,10 @@ func AddTargetPublishOutputs(target workflow.Target, outputs map[string]string,
 		target.Publishing.PyPi.UseTrustedPublishing != nil && *target.Publishing.PyPi.UseTrustedPublishing {
 		outputs["use_pypi_trusted_publishing"] = "true"
 	}
+
+	if lang == "mcp-typescript" && target.Publishing != nil && target.Publishing.MCPRegistry != nil &&
+		target.Publishing.MCPRegistry.Auth != "" {
+		outputs["publish_mcp_registry"] = "true"
+		outputs["mcp_registry_auth"] = target.Publishing.MCPRegistry.Auth
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -368,4 +368,10 @@ func AddTargetPublishOutputs(target workflow.Target, outputs map[string]string,`
`368`	`368`	`target.Publishing.PyPi.UseTrustedPublishing != nil && *target.Publishing.PyPi.UseTrustedPublishing {`
`369`	`369`	`outputs["use_pypi_trusted_publishing"] = "true"`
`370`	`370`	`}`
	`371`	`+`
	`372`	`+ if lang == "mcp-typescript" && target.Publishing != nil && target.Publishing.MCPRegistry != nil &&`
	`373`	`+ target.Publishing.MCPRegistry.Auth != "" {`
	`374`	`+ outputs["publish_mcp_registry"] = "true"`
	`375`	`+ outputs["mcp_registry_auth"] = target.Publishing.MCPRegistry.Auth`
	`376`	`+ }`
`371`	`377`	`}`