ci: auto-close PRs that try to publish servers via the repo#1393
Open
rdimitrov wants to merge 3 commits into
Open
ci: auto-close PRs that try to publish servers via the repo#1393rdimitrov wants to merge 3 commits into
rdimitrov wants to merge 3 commits into
Conversation
Some contributors try to "publish" an MCP server by opening a PR that adds files under servers/ or edits data/seed.json, which is not how publishing works. Add a two-stage workflow that detects these PRs and closes them with a comment pointing at the mcp-publisher quickstart. Stage 1 (detect) runs on pull_request with a read-only token and only records the flagged PR number as an artifact. Stage 2 (close) runs via workflow_run in the trusted base context, re-validates the PR from the API, then comments, labels `invalid`, and closes. This avoids pull_request_target; the only input crossing the trust boundary is a sanitized PR number. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Use the paginated REST pulls/files endpoint instead of `gh pr view --json files`, which caps at 100 files with no pagination and could truncate a large PR into a false match. - Capture PR labels into a variable before grepping so a transient gh failure can't fail open on the idempotency guard. - Add an empty-file-list guard to stage 2 for parity with stage 1. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
GitHub renders single newlines in a comment paragraph as line breaks, so the hard-wrapped second paragraph showed mid-sentence breaks. Put it on one line. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
tadasant
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
We keep getting PRs (e.g. #1385, #1368, #1367, #1363, #1354) that try to "publish" an MCP server by adding files under
servers/or editingdata/seed.json. That isn't how publishing works — servers are published with themcp-publisherCLI against the live registry API. This adds automation that detects those PRs, comments with a pointer to the publishing quickstart, labels theminvalid, and closes them.How it works (two stages, no
pull_request_target)pull_request_targetis intentionally avoided. Instead:detect-invalid-publish-prs.ymlruns onpull_request(opened/reopened) with a read-only token. It only reads the changed file paths and, if the PR exclusively touchesservers/**and/ordata/seed.json(and the author isn't a MEMBER/OWNER/COLLABORATOR), records just the PR number as a short-lived artifact. It can't comment or close anything.close-invalid-publish-prs.ymlruns viaworkflow_runin the trusted base-repo context (write token). It picks up the flagged PR number, independently re-validates the PR from the API (still open, external author, files still match, not already labeled), then comments, labelsinvalid, and closes.Trust boundary
The only thing crossing from the untrusted stage to the privileged stage is the PR number, sanitized to digits only. Stage 2 never trusts stage 1's verdict — it re-derives every decision. Neither stage ever checks out or runs PR code.
Safety against false positives
servers/**and/ordata/seed.json— a real code PR that also happens to touch seed data is left alone.MEMBER/OWNER/COLLABORATORauthors, so maintainers editing dev seed data aren't auto-closed.invalid(e.g. if a maintainer reopens one).Notes
pull_request/workflow_runautomation, this only takes effect once merged tomain— it is not retroactive and won't run on this PR. The currently-open offending PRs should be closed manually.upload-artifactreuses the SHA already inci.yml).🤖 Generated with Claude Code