Skip to content

Add step for publishing to MCP Registry#1197

Merged
yury-s merged 6 commits intomicrosoft:mainfrom
joelverhagen:jver/mcp-registry
Nov 17, 2025
Merged

Add step for publishing to MCP Registry#1197
yury-s merged 6 commits intomicrosoft:mainfrom
joelverhagen:jver/mcp-registry

Conversation

@joelverhagen
Copy link
Copy Markdown
Contributor

@joelverhagen joelverhagen commented Nov 14, 2025
edited
Loading

This adds a new step for the release event to publish to the Official MCP Registry.

Summary of changes:

  • Add server.json which is the MCP Server manifest
    • Used metadata from the GH MCP Registry
    • Used the name com.microsoft/playwright-mcp
  • Add publish-release-mcp-registry job that runs manually
    • Install Microsoft Go for compliant Go crypto
    • Log in to Azure for Key Vault access
    • Publish to the MCP Registry in the microsoft.com namespace.
  • Add mcpName to the package.json which the MCP Registry validates.

The publishing requires some secret variables:

  • AZURE_MCP_REGISTRY_CLIENT_ID - service principal client ID (app ID) with Get Key and Sign access to a Key Vault
  • AZURE_MCP_REGISTRY_TENANT_ID - tenant ID for the service principal (should be a production tenant)
  • AZURE_MCP_REGISTRY_SUBSCRIPTION_ID - Azure subscription ID holding the Key Vault
  • KV_NAME - the Key Vault name, e.g. mykeyvault
  • KV_KEY_NAME - the name of a Key in the Key Vault, needs to be ECDSA P-384.

I can provide internal documentation for how to set up the service principal (managed identity is easiest), vault, and key as well as registering the key so it can be used for the microsoft.com namespace.

Note: after the new job is proven to work as expected, we can switch it to automatically running after the publish-release-npm job on the release event.

Skn0tt
Skn0tt reviewed Nov 14, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Skn0tt Skn0tt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Left a couple of comments from a first cursory look.

Comment thread .github/workflows/publish.yml Outdated
Comment thread package.json Outdated
Comment thread .mcp/server.json Outdated
Comment thread .mcp/server.json
Skn0tt
Skn0tt reviewed Nov 14, 2025
View reviewed changes
Comment thread .github/workflows/publish.yml Outdated
@Skn0tt
Copy link
Copy Markdown
Member

Skn0tt commented Nov 14, 2025

I setup a Keyvault and key, and populated the KV_KEY_NAME and KV_NAME secrets.

yury-s
yury-s reviewed Nov 14, 2025
View reviewed changes
Comment thread .github/workflows/publish.yml
yury-s
yury-s reviewed Nov 17, 2025
View reviewed changes
Comment thread .github/workflows/publish.yml
Comment thread .github/workflows/publish.yml Outdated
yury-s
yury-s approved these changes Nov 17, 2025
View reviewed changes
Comment thread .github/workflows/publish.yml
yury-s
yury-s reviewed Nov 17, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@yury-s yury-s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the PR description as we don't commit go-install.ps1 anymore and some vars have changed?

@joelverhagen
Copy link
Copy Markdown
Contributor Author

joelverhagen commented Nov 17, 2025

@yury-s, thanks for the approval. Any input on this point?

Note: if we need to iterate on the MCP Registry publish step, it might be worth allowing the publish-release-mcp-registry step to execute without the publish-release-npm and allow it to run on workflow_dispatch. Alternatively, we could allow the npm publish step to fail with "duplicate version", making the npm publish step idempotent.

@joelverhagen
Copy link
Copy Markdown
Contributor Author

joelverhagen commented Nov 17, 2025

Currently the public key is not declared on microsoft.com. I sent an email to @Skn0tt on how to do this, so the record is owned by your team.

@yury-s
Copy link
Copy Markdown
Member

yury-s commented Nov 17, 2025

Currently the public key is not declared on microsoft.com. I sent an email to @Skn0tt on how to do this, so the record is owned by your team.

Can you cc me as well, I may be able to do it earlier?

@yury-s, thanks for the approval. Any input on this point?

Note: if we need to iterate on the MCP Registry publish step, it might be worth allowing the publish-release-mcp-registry step to execute without the publish-release-npm and allow it to run on workflow_dispatch. Alternatively, we could allow the npm publish step to fail with "duplicate version", making the npm publish step idempotent.

I guess you wan to give it try without waiting for the next mcp release. We can allow it to run on workflow_dispatch for now and once you tested it, we can restore the dependency on the npm publish step.

@yury-s yury-s merged commit 009aa92 into microsoft:main Nov 17, 2025
7 checks passed
yury-s added a commit to yury-s/playwright-mcp that referenced this pull request Dec 29, 2025
@yury-s
Revert "Add step for publishing to MCP Registry microsoft#1197"
1152092
yury-s added a commit to yury-s/playwright-mcp that referenced this pull request Dec 30, 2025
@yury-s
Revert "Add step for publishing to MCP Registry microsoft#1197"
1bdd037
yury-s added a commit that referenced this pull request Dec 31, 2025
@yury-s
Revert "Add step for publishing to MCP Registry #1197" (#1289)
dba2fd0
lucim23 pushed a commit to lucim23/playwright-mcp that referenced this pull request Feb 5, 2026
@joelverhagen
Add step for publishing to MCP Registry (microsoft#1197)
8f98580 
This adds a new step for the `release` event to publish to the Official
MCP Registry.

Summary of changes:
- Add `server.json` which is the MCP Server manifest
  - Used metadata from the GH MCP Registry
  - Used the name `com.microsoft/playwright-mcp`
- Add `publish-release-mcp-registry` job that runs manually
   - Install Microsoft Go for compliant Go crypto
   - Log in to Azure for Key Vault access
   - Publish to the MCP Registry in the `microsoft.com` namespace.
- Add `mcpName` to the `package.json` which the MCP Registry validates.

The publishing requires some secret variables:
- `AZURE_MCP_REGISTRY_CLIENT_ID` - service principal client ID (app ID)
with Get Key and Sign access to a Key Vault
- `AZURE_MCP_REGISTRY_TENANT_ID` - tenant ID for the service principal
(should be a production tenant)
- `AZURE_MCP_REGISTRY_SUBSCRIPTION_ID` - Azure subscription ID holding
the Key Vault
- `KV_NAME` - the Key Vault name, e.g. `mykeyvault`
- `KV_KEY_NAME` - the name of a Key in the Key Vault, needs to be ECDSA
P-384.

I can provide internal documentation for how to set up the service
principal (managed identity is easiest), vault, and key as well as
registering the key so it can be used for the `microsoft.com` namespace.

**Note:** after the new job is proven to work as expected, we can switch
it to automatically running after the `publish-release-npm` job on the
`release` event.
lucim23 pushed a commit to lucim23/playwright-mcp that referenced this pull request Feb 5, 2026
@yury-s
Revert "Add step for publishing to MCP Registry microsoft#1197" (micr…
d60b434 
…osoft#1289)
@yury-s yury-s mentioned this pull request Apr 30, 2026
Merged
yury-s added a commit that referenced this pull request May 1, 2026
@yury-s
feat(publish): publish to the official MCP Registry on release (#1585)
2ec36c1 
## Summary
- Adds `server.json` declaring the npm and OCI packages under the
`io.github.microsoft/playwright-mcp` namespace (already claimed via
`mcpName` in `package.json`).
- Adds a `publish-mcp-release-registry` job to `publish.yml` that runs
after the npm release, auto-syncs `server.json`'s version from
`package.json`, and publishes via `mcp-publisher` using GitHub OIDC (no
PAT needed).
- Unblocks enterprise users on `registryOnly` MCP policies (e.g. VS Code
+ Copilot in security-hardened setups) by listing `@playwright/mcp` in
the official registry.

Fixes #1477

## Precedent

[microsoft/mcp-dotnet-samples](https://github.com/microsoft/mcp-dotnet-samples/blob/main/.github/workflows/build-container.yaml)
publishes `io.github.microsoft/awesome-copilot` to the registry from an
hourly cron using the exact same flow (`id-token: write` + curl-fetched
`mcp-publisher` + `login github-oidc`). It's been running successfully
for weeks, so the GitHub-OIDC path is confirmed to work under
`microsoft/*` corp policy — no DNS / Key Vault setup needed (unlike the
reverted #1197 attempt that used the `com.microsoft/...` namespace).

## Notes
- `server.json`'s committed version is just a placeholder; the workflow
rewrites it from `package.json` before publish, so future `chore: mark
vX.Y.Z` commits don't need to touch `server.json`.
- First release after merge is the live test — no dry-run path.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skn0tt Skn0tt Skn0tt left review comments

@yury-s yury-s yury-s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joelverhagen @Skn0tt @yury-s