npm - @ekho/gitlab-mcp - Versions diffs - 1.1.0 → 1.1.1 - Mend

@ekho/gitlab-mcp 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +31 -15
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -329,32 +329,48 @@ GITLAB_TOKEN=glpat-... npm run test:smoke
 ## Releasing
-The repo ships with a `.gitlab-ci.yml` that runs typecheck/tests/build on every push and publishes to npm on `v*` tags.
+The repo ships with a `.gitlab-ci.yml` that runs typecheck/tests/build on every push and publishes to npm on `v*.*.*` tags via **npm Trusted Publishers** (OIDC). No long-lived `NPM_TOKEN` is required — GitLab mints a short-lived OIDC token, npm CLI exchanges it for a publish token, and the package is signed with sigstore provenance.
-**One-time setup:**
-1. Create an automation token at https://www.npmjs.com/settings/<user>/tokens (use "Automation" type so npm 2FA does not block CI).
-2. In GitLab: Settings → CI/CD → Variables → Add variable
-   - Key: `NPM_TOKEN`
-   - Value: <the token>
-   - Flags: **Masked** and **Protected**
-3. Make sure the `v*` tag pattern is protected: Settings → Repository → Protected tags → Add `v*`.
+**One-time setup on npmjs.com**
+After the first manual publish (which creates the package), open https://www.npmjs.com/package/@ekho/gitlab-mcp/access → Trusted Publishers → Add trusted publisher → GitLab. Fill in:
+| Field | Value |
+|---|---|
+| Namespace | `ekho_0` |
+| Project name | `gitlab-mcp` |
+| Top-level CI file path | `.gitlab-ci.yml` |
+| Environment name | (blank) |
+| Allowed actions | ✅ `npm publish` |
+See https://docs.npmjs.com/trusted-publishers for the official guide.
+**One-time setup on GitLab**
+Protect the `v*` tag pattern so only maintainers can trigger publishes: Settings → Repository → Protected tags → add `v*`.
+**Cutting a release**
-**Cutting a release:**
 ```bash
-# 1. Bump the version in package.json (manually or via npm version <patch|minor|major>)
-npm version minor       # also creates the commit and the v<N> tag
+npm version minor          # 1.1.0 → 1.2.0; creates commit + tag
 git push --follow-tags
 ```
-The `publish_npm` job will fire on the tag pipeline. It verifies that the tag (`v1.2.0` → `1.2.0`) matches `package.json` before running `npm publish`.
+The `publish_npm` job fires on the tag pipeline. It verifies that the tag (`v1.2.0` → `1.2.0`) matches `package.json`, builds, and runs `npm publish`. Provenance is attached automatically via the `SIGSTORE_ID_TOKEN`.
+**Local publish (no CI, for the first release or recovery)**
-**Local publish (no CI):**
 ```bash
 npm login                       # interactive, browser-based
 npm pack --dry-run              # preview tarball contents
-npm publish --access public     # publishes the current version
+npm publish                     # publishConfig.access is "public"
 ```
-`prepublishOnly` will clean, typecheck, test, and build first.
+`prepublishOnly` runs clean → typecheck → test → build first.
+**Prerequisites for trusted publishing**
+- Node ≥ 22.14.0 (the CI uses `node:22`)
+- npm CLI ≥ 11.5.1 (the publish job runs `npm install -g npm@latest` before publishing)
 ## Architecture

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ekho/gitlab-mcp",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Model Context Protocol server for GitLab — full coverage of REST + GraphQL APIs across collaboration, CI/CD, code, releases, access, security, integrations, content, analytics, and Duo AI.",
   "type": "module",
   "license": "MIT",