Release¶
Releases are driven by a published GitHub Release whose tag is a semver value prefixed with v, for example v1.2.7.
The unified Release workflow resolves the tag once, then passes the derived version, version_tag, and Docker-safe image tag through npm packaging, Docker build arguments, image labels, server metadata, README markers, and documentation markers.
GitHub Repository Settings¶
Configure these settings before the first release.
| Area | Required setting |
|---|---|
| Actions | Enable GitHub Actions for the repository. |
| Actions token | Allow workflows to request the permissions declared in each workflow. |
| Branch protection | Require Actionlint, CI, CodeQL, and Dependency Review before merging to main. |
| Pages | Set Build and deployment -> Source to GitHub Actions. |
| Packages | Allow GitHub Actions to publish packages to GitHub Packages. |
| Environments | Create npm-production, docker-production, github-pages, and mcp-registry-production. |
| Code scanning | Enable code scanning to view CodeQL, Scorecard, and Trivy SARIF results. |
Add required reviewers to npm-production, docker-production, and mcp-registry-production if releases should require manual approval after a GitHub Release is published. The github-pages environment is used by the native GitHub Pages deployment job.
npm Publishing¶
The npm release workflow publishes through npm Trusted Publishing with GitHub Actions OIDC. It does not use NPM_TOKEN for publishing.
Configure the trusted publisher on npmjs.com with these exact values:
| npm Trusted Publisher field | Value |
|---|---|
| Provider | GitHub Actions |
| Repository | swimmwatch/cloakbrowser-mcp |
| Workflow filename | release.yml |
| Environment | npm-production |
| Allowed action | npm publish |
The npm job runs on GitHub-hosted runners, uses Node.js 24, and keeps id-token: write so npm can exchange the GitHub Actions OIDC token for a short-lived publish credential. npm Trusted Publishing requires npm CLI >=11.5.1 and Node.js >=22.14.0.
Publishing uses:
When publishing through Trusted Publishing, npm automatically generates package provenance for public packages from public repositories. Do not add a long-lived npm publish token back to this workflow.
The package version is applied from the GitHub Release tag before npm pack and npm publish, and the job fails if package.json does not match the resolved release version.
Docker Publishing¶
Docker images are published to:
The docker job uses the repository GITHUB_TOKEN with packages: write for GHCR. Docker Hub publishing requires DOCKERHUB_USERNAME and DOCKERHUB_TOKEN in the docker-production environment or repository secrets.
The workflow updates the Docker Hub repository overview after a successful image push. Docker Hub does not pull the root README.md automatically for this GitHub Actions release flow; the Docker Hub-specific overview is maintained in docs/dockerhub-readme.md.
Before merging a release PR, CI validates:
- runs the TypeScript, lint, format, build, test, and coverage checks;
- verifies npm package metadata and package contents;
- builds Docker images for
linux/amd64andlinux/arm64; - runs Docker
--helpsmoke checks; - compares the
linux/amd64image against upstream Playwright MCP with the bridge parity script; - scans Docker images with Trivy for high and critical OS/library vulnerabilities.
During release publishing, the Docker workflow:
- applies the release version;
- applies available Debian security updates on top of the pinned Playwright MCP base image during the Docker build;
- removes the unused global npm payload from the runtime image;
- publishes the multi-platform image;
- updates the Docker Hub overview after the image push succeeds.
The Docker build receives RELEASE_VERSION, RELEASE_VERSION_TAG, and VCS_REF build arguments. The workflow also resolves the upstream Playwright MCP base image digest and passes it as PLAYWRIGHT_MCP_IMAGE_DIGEST.
The final image stores the same values as OCI labels and runtime metadata environment variables. Published images include labels for title, description, source, documentation, version, revision, license, authors, vendor, base image name, base image digest, and MCP server name.
Trivy is free and open source and does not require an external token for public image scans. SARIF results are uploaded to GitHub code scanning when code scanning is enabled.
After the first publish, confirm the GHCR package is public and linked to this repository, and confirm the Docker Hub repository is public.
Docker publishes a multi-platform manifest for linux/amd64 and linux/arm64. PR CI smoke-tests both platforms before merge and keeps browser parity comparison on linux/amd64.
MCP Registry Publishing¶
The mcp-registry job publishes server.json to the official registry at:
Server publishing uses the local MCP Registry Publish composite GitHub Action, the official mcp-publisher CLI, and GitHub Actions OIDC. Do not open a pull request to modelcontextprotocol/registry to list this server; that repository explicitly requires package authors to publish with mcp-publisher.
The workflow does not need Glama, billing, a GitHub PAT, DNS credentials, or long-lived registry secrets. It uses:
id-token: writefor GitHub OIDC authentication;mcp-publisher login github-oidc;- the existing GitHub namespace
io.github.swimmwatch/cloakbrowser-mcp; - the npm package
mcpNamevalue to prove npm package ownership; - the Docker image label
io.modelcontextprotocol.server.nameto prove OCI image ownership.
The MCP Registry job starts from the same GitHub Release event as npm, Docker, and documentation publishing. It declares needs: [npm, docker], so npm and Docker publication complete before registry publishing starts. Documentation deployment declares needs: [docs-build, npm, docker, mcp-registry], so GitHub Pages is updated only after npm, Docker, and the official MCP Registry are published successfully. The composite action is intentionally registry-focused: it validates server.json locally, validates it with mcp-publisher, checks whether the exact registry version is already visible, authenticates with mcp-publisher login github-oidc, publishes the server metadata, and verifies the final registry entry.
If a transient registry failure happens, rerun the failed mcp-registry job in the original release run after the npm and Docker jobs are green. The manual workflow_dispatch trigger on Release is for full release-pipeline runs with an explicit tag.
Verify the published registry entry with:
curl "https://registry.modelcontextprotocol.io/v0.1/servers?search=io.github.swimmwatch/cloakbrowser-mcp"
npm run registry:check
GitHub's https://github.com/mcp registry is a separate curated discovery surface. Publishing to the official MCP Registry is required, but it does not guarantee immediate visibility on GitHub's /mcp page. Treat npm run registry:check as a release verification tool for the official registry, npm, GHCR, Docker Hub, and a best-effort GitHub MCP visibility probe. Use npm run registry:check:strict only after GitHub MCP visibility should become a hard gate.
Glama Directory Checklist¶
Glama directory scoring is separate from GitHub releases and official MCP Registry publishing. The repository includes glama.json so the swimmwatch maintainer account can claim or confirm ownership in Glama.
Before publishing a stable release, complete the free Glama checklist:
- sync the server from the Glama MCP server admin interface after
glama.jsonis merged tomain; - open
https://glama.ai/mcp/servers/swimmwatch/cloakbrowser-mcp/admin/dockerfile; - configure Glama to build this repository Dockerfile and start the existing stdio entrypoint without extra secrets;
- keep the runtime compatible with CloakBrowser defaults:
cloakbrowser engine, headless mode, stdout output, and/dataartifact storage; - click Deploy and wait for the build test to pass;
- create and publish a Glama release with the same version as the GitHub release, for example
1.2.7; - use the Glama "Try in Browser" feature once after release to seed initial usage;
- add related servers manually, at minimum the official Playwright MCP server, and optionally closely related browser automation alternatives.
Do not add a billing method or paid Glama hosting just to improve the directory score. If Glama requires billing for a required checklist item, treat that as a release blocker that needs an explicit maintainer decision.
Security Workflows¶
The repository uses free security tooling:
| Workflow | Tool | Trigger | User setup |
|---|---|---|---|
CodeQL | GitHub CodeQL | push, pull request, weekly, manual | Enable code scanning to view SARIF results. |
Dependency Review | GitHub Dependency Review | pull request | No external account or token. |
OpenSSF Scorecard | OpenSSF Scorecard | push, weekly, manual | Enable code scanning to view SARIF results. |
Zizmor | zizmor | workflow changes, manual | No external account or token. |
CI / Release | Trivy | Docker build and release | Enable code scanning to view SARIF results. |
CI / npm release | npm audit --omit=dev --audit-level=high | PR CI and npm publish job | No external account or token. |
Action SHA pinning is tracked as a future hardening pass. Current workflows use versioned action references so updates stay manageable while the release infrastructure is still young.
Documentation Publishing¶
The docs-build and docs-deploy jobs deploy MkDocs with the native GitHub Pages Actions deployment flow. Repository Pages settings must use GitHub Actions as the source.
The workflow builds documentation in strict mode, uploads the generated site/ directory with actions/upload-pages-artifact, and deploys it with actions/deploy-pages to the github-pages environment only after npm, Docker, and MCP Registry publishing have succeeded.
Documentation publishing also runs the SEO validator after the MkDocs build. Optional webmaster verification tokens use official free webmaster tools and can be provided as repository variables or secrets:
GOOGLE_SITE_VERIFICATIONBING_SITE_VERIFICATIONYANDEX_SITE_VERIFICATIONBAIDU_SITE_VERIFICATIONNAVER_SITE_VERIFICATION
Optional IndexNow notifications require a repository secret named INDEXNOW_KEY. When it is set, the workflow publishes the required key file and submits the generated sitemap URLs after GitHub Pages deployment.
Do not add paid indexing services, advertising products, or third-party analytics to the documentation release flow without a separate explicit decision.
Upstream Monitoring¶
The upstream monitor workflow runs daily and can also be started manually from GitHub Actions. It checks both upstream Playwright MCP distribution channels:
- npm package:
@playwright/mcp; - Docker image:
mcr.microsoft.com/playwright/mcp.
When a newer upstream version is detected, the workflow creates a GitHub issue assigned to swimmwatch. The issue includes the current and latest npm/Docker versions, a short release-notes summary from microsoft/playwright-mcp, and links to the full upstream changelog, npm package, and Docker tags.
Run the same check locally with:
Release Tags¶
| Release type | GitHub Release setting | npm dist-tag | Docker tags |
|---|---|---|---|
| Stable | Not prerelease | latest | vX.Y.Z, X.Y.Z, X.Y, latest |
| Prerelease | Prerelease | next | vX.Y.Z-prerelease, X.Y.Z-prerelease |
Checklist¶
Before publishing a release:
- Merge only after
ActionlintandCIare green. - Create a GitHub Release from a tag like
v1.2.7. - Mark the release as prerelease when publishing a
nextnpm version. - Confirm the npm Trusted Publisher is configured for
release.ymlandnpm-production. - Confirm
npm-production,docker-production,github-pages, andmcp-registry-productionenvironments exist. - Confirm GitHub code scanning is enabled if SARIF upload visibility is needed.
- Confirm GHCR package visibility is public after the first Docker publish.
- Confirm the Glama server has been synced, tested through the Dockerfile admin page, and released with the same stable version.
SUPPORT.md is intentionally deferred until the project has a stable support policy beyond GitHub issues and security advisories.