mcp-debugger/.github/workflows/validate-secrets.yml at main · debugmcp/mcp-debugger · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Validate Release Secrets

on:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  validate-npm:
    name: "npm: token"
    runs-on: ubuntu-latest
    steps:
    - name: Test token
      env:
        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
      run: |
        npm config set //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
        NPM_USER=$(npm whoami --registry https://registry.npmjs.org 2>&1) || true
        if [[ -n "$NPM_USER" && "$NPM_USER" != *"error"* && "$NPM_USER" != *"ERR"* ]]; then
          echo "✅ NPM_TOKEN is valid (user: $NPM_USER)"
        else
          echo "❌ NPM_TOKEN is invalid or expired"
          echo "   Response: $NPM_USER"
          echo "   Fix: create a Classic Automation token at npmjs.com → Access Tokens"
          exit 1
        fi

  validate-docker:
    name: "Docker Hub: credentials"
    runs-on: ubuntu-latest
    steps:
    - name: Test login
      env:
        DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
      run: |
        if echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin 2>&1; then
          echo "✅ Docker Hub credentials are valid"
          docker logout > /dev/null 2>&1
        else
          echo "❌ Docker Hub credentials are invalid"
          echo "   Fix: update DOCKER_USERNAME/DOCKER_PASSWORD secrets"
          exit 1
        fi

  validate-pypi:
    name: "PyPI: token"
    runs-on: ubuntu-latest
    steps:
    - name: Test token
      env:
        PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
      run: |
        # Use the PyPI JSON API with token auth to check validity
        # Requesting our own project metadata — 200 = good auth, 401/403 = bad token
        HTTP_CODE=$(curl -s -o /tmp/pypi_response -w "%{http_code}" \
          -H "Authorization: token $PYPI_TOKEN" \
          "https://pypi.org/pypi/debug-mcp-server-launcher/json" 2>/dev/null) || true

        case "$HTTP_CODE" in
          200)
            echo "✅ PYPI_TOKEN is valid"
            ;;
          401|403)
            echo "❌ PYPI_TOKEN is expired or revoked (HTTP $HTTP_CODE)"
            echo "   Fix: regenerate at pypi.org → Account Settings → API tokens"
            exit 1
            ;;
          404)
            echo "⚠️  Package not found on PyPI (HTTP 404) — token may still be valid"
            echo "   (404 can mean the package hasn't been published yet)"
            ;;
          *)
            # Fallback: try twine with a real sdist from our project
            pip install twine build > /dev/null 2>&1
            mkdir -p /tmp/pypi-test && cd /tmp/pypi-test
            echo '[project]' > pyproject.toml
            echo 'name = "_validate-token-test"' >> pyproject.toml
            echo 'version = "0.0.0"' >> pyproject.toml
            python -m build --sdist > /dev/null 2>&1

            TWINE_OUT=$(python -m twine upload --skip-existing \
              --repository-url https://upload.pypi.org/legacy/ \
              -u __token__ -p "$PYPI_TOKEN" \
              dist/*.tar.gz 2>&1) || true

            if echo "$TWINE_OUT" | grep -qiE "401|403|unauthorized|forbidden"; then
              echo "❌ PYPI_TOKEN is expired or revoked"
              echo "   $TWINE_OUT"
              exit 1
            else
              echo "✅ PYPI_TOKEN appears valid"
              echo "   (twine output: $TWINE_OUT)"
            fi
            ;;
        esac