mcp-keycloak

name: Release MCP Keycloak to PyPI on: release: types: [published] permissions: contents: read jobs: validate-release: runs-on: ubuntu-latest outputs: version: ${{ steps.get-version.outputs.version }} tag-version: ${{ steps.get-version.outputs.tag-version }} steps: - name: ⚙️ Harden Runner uses: step-security/harden-runner@v2 with: egress-policy: audit - name: ⚙️ Checkout the project uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for UV build - name: ⚙️ Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" - name: ⚙️ Set up Python run: uv python install 3.12 - name: 🏷️ Get version from release tag id: get-version run: | TAG_VERSION="${{ github.ref_name }}" VERSION=${TAG_VERSION#v} # Remove 'v' prefix if present echo "version=${VERSION}" >> $GITHUB_OUTPUT echo "tag-version=${TAG_VERSION}" >> $GITHUB_OUTPUT security-scan: runs-on: ubuntu-latest needs: validate-release steps: - name: ⚙️ Harden Runner uses: step-security/harden-runner@v2 with: egress-policy: audit - name: ⚙️ Checkout the project uses: actions/checkout@v4 with: fetch-depth: 0 - name: ⚙️ Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" - name: ⚙️ Set Python up and add dependencies run: | uv python install 3.12 uv sync --all-extras --dev uv add --dev bandit - name: ⚙️ Run security scan with bandit run: | uv run bandit -r src/ build-and-publish: runs-on: ubuntu-latest needs: [validate-release, security-scan] environment: name: pypi url: https://pypi.org/p/mcp-keycloak permissions: id-token: write # IMPORTANT: mandatory for trusted publishing contents: read attestations: write # For build attestations steps: - name: ⚙️ Harden Runner uses: step-security/harden-runner@v2 with: egress-policy: audit - name: ⚙️ Checkout the project uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for UV build - name: ⚙️ Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" - name: ⚙️ Set up Python run: uv python install 3.12 - name: ⚙️ Build package run: | uv build --sdist --wheel - name: ⚙️ Check package run: | uv add --dev twine uv run twine check dist/* - name: ⚙️ Generate build attestation uses: actions/attest-build-provenance@v1 with: subject-path: 'dist/*' - name: ⚙️ Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: print-hash: true attestations: true - name: ⚙️ Upload build artifacts uses: actions/upload-artifact@v4 with: name: dist-${{ needs.validate-release.outputs.version }} path: dist/ retention-days: 90 notify-success: runs-on: ubuntu-latest needs: [validate-release, build-and-publish] if: success() steps: - name: ⚙️ Success notification run: | echo "🎉 Successfully released MCP Keycloak v${{ needs.validate-release.outputs.version }} to PyPI!" echo "📦 Package: https://pypi.org/project/mcp-keycloak/${{ needs.validate-release.outputs.version }}/" echo "🏷️ Release: https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}"