Grist MCP Server

name: CI/CD Pipeline on: push: branches: [main, master, develop] tags: - 'v*' pull_request: branches: [main, master, develop] workflow_dispatch: env: NODE_VERSION: '20.x' jobs: # ======================================== # Version Synchronization Check # ======================================== version-sync-check: name: Version Sync Check runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Check version consistency run: | PACKAGE_VERSION=$(node -p "require('./package.json').version") MANIFEST_VERSION=$(node -p "require('./manifest.json').version") echo "📦 package.json version: $PACKAGE_VERSION" echo "📋 manifest.json version: $MANIFEST_VERSION" if [ "$PACKAGE_VERSION" != "$MANIFEST_VERSION" ]; then echo "❌ ERROR: Version mismatch detected!" echo " package.json: $PACKAGE_VERSION" echo " manifest.json: $MANIFEST_VERSION" echo "" echo "💡 Fix: Update both versions to match before committing." echo " See CLAUDE.md for release checklist." exit 1 fi echo "✅ Version sync check passed: $PACKAGE_VERSION" # ======================================== # Security Scanning # ======================================== security-scan: name: Security Scan runs-on: ubuntu-latest needs: version-sync-check permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run npm audit run: | echo "🔍 Running security audit..." # Run audit and capture output npm audit --json > audit-report.json 2>&1 || true # Extract vulnerability counts CRITICAL=$(jq '.metadata.vulnerabilities.critical // 0' audit-report.json) HIGH=$(jq '.metadata.vulnerabilities.high // 0' audit-report.json) MODERATE=$(jq '.metadata.vulnerabilities.moderate // 0' audit-report.json) LOW=$(jq '.metadata.vulnerabilities.low // 0' audit-report.json) echo "📊 Vulnerability Summary:" echo " Critical: $CRITICAL" echo " High: $HIGH" echo " Moderate: $MODERATE" echo " Low: $LOW" # Fail on critical vulnerabilities if [ "$CRITICAL" -gt 0 ]; then echo "" echo "❌ Critical vulnerabilities found!" jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical") | .key' audit-report.json exit 1 fi # Warn but don't fail on high vulnerabilities (threshold: 3) if [ "$HIGH" -gt 3 ]; then echo "" echo "⚠️ Too many high severity vulnerabilities (limit: 3, found: $HIGH)" echo "Consider running: npm audit fix" exit 1 fi echo "" echo "✅ Security scan passed" # ======================================== # Lint and Type Check # ======================================== lint-and-typecheck: name: Lint & Type Check runs-on: ubuntu-latest needs: version-sync-check permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run Biome linting run: npm run lint - name: Run TypeScript type checking run: npx tsc --noEmit - name: Build project run: npm run build - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: build-output path: dist/ retention-days: 7 # ======================================== # Unit Tests (Fast, No Docker) # ======================================== test-unit: name: Unit Tests runs-on: ubuntu-latest needs: lint-and-typecheck permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run unit tests with coverage run: npm run test:unit -- --coverage - name: Upload coverage to Codecov uses: codecov/codecov-action@v5 with: files: ./coverage/lcov.info fail_ci_if_error: false # ======================================== # Integration Tests (Docker via Vitest globalSetup) # ======================================== test-integration: name: Integration Tests runs-on: ubuntu-latest needs: lint-and-typecheck permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run integration tests run: npm run test:integration # ======================================== # Bundle and Package (MCPB) # ======================================== bundle-and-package: name: Bundle & Package runs-on: ubuntu-latest needs: [test-unit, test-integration] permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Create bundle (Vite tree-shaking + MCPB) run: npm run bundle - name: Verify bundle was created run: | if [ ! -f grist-mcp-server.mcpb ]; then echo "❌ ERROR: MCPB bundle was not created!" exit 1 fi BUNDLE_SIZE=$(du -h grist-mcp-server.mcpb | cut -f1) echo "✅ MCPB bundle created successfully" echo "📦 Bundle size: $BUNDLE_SIZE (tree-shaken with Vite)" ls -lh grist-mcp-server.mcpb - name: Upload MCPB bundle uses: actions/upload-artifact@v4 with: name: mcpb-bundle path: grist-mcp-server.mcpb retention-days: 30 # ======================================== # Quality Gates (Final Verification) # ======================================== quality-gates: name: Quality Gates runs-on: ubuntu-latest needs: [test-unit, test-integration, bundle-and-package] permissions: contents: read steps: - name: Checkout code uses: actions/checkout@v6 - name: Download MCPB bundle uses: actions/download-artifact@v5 with: name: mcpb-bundle - name: Extract version info run: | VERSION=$(node -p "require('./package.json').version") echo "version=$VERSION" >> $GITHUB_OUTPUT echo "📌 Version: $VERSION" id: version - name: Quality gate summary run: | echo "## ✅ All Quality Gates Passed!" echo "" echo "### Build Information" echo "- **Version:** ${{ steps.version.outputs.version }}" echo "- **Node Version:** ${{ env.NODE_VERSION }}" echo "- **Commit:** ${{ github.sha }}" echo "- **Branch:** ${{ github.ref_name }}" echo "" echo "### Completed Checks" echo "- ✅ Version synchronization (package.json ↔ manifest.json)" echo "- ✅ Security vulnerability scanning (npm audit)" echo "- ✅ Biome linting and formatting" echo "- ✅ TypeScript type checking" echo "- ✅ Build compilation" echo "- ✅ Unit tests" echo "- ✅ Integration tests (Docker)" echo "- ✅ MCPB bundle generation" echo "" echo "### Artifacts" echo "- 📦 MCPB Bundle: \`grist-mcp-server.mcpb\`" echo "- 📁 Build Output: \`dist/\`" echo "" echo "**Ready for deployment!** 🚀" # ======================================== # Automated Release (Tag-triggered) # ======================================== release: name: Create GitHub Release runs-on: ubuntu-latest needs: [quality-gates] if: startsWith(github.ref, 'refs/tags/v') permissions: contents: write steps: - name: Checkout code uses: actions/checkout@v6 - name: Download MCPB bundle uses: actions/download-artifact@v5 with: name: mcpb-bundle - name: Extract version from tag run: | VERSION=${GITHUB_REF#refs/tags/v} echo "version=$VERSION" >> $GITHUB_OUTPUT echo "📌 Release version: $VERSION" id: version - name: Extract changelog for this version run: | VERSION="${{ steps.version.outputs.version }}" if [ -f CHANGELOG.md ]; then # Extract changelog section for this version awk "/## \[$VERSION\]/,/## \[/" CHANGELOG.md | grep -v "^## \[" | tail -n +1 > release-notes.md if [ -s release-notes.md ]; then echo "✅ Extracted changelog for version $VERSION" cat release-notes.md else echo "⚠️ No changelog entry found for version $VERSION" echo "Release for Grist MCP Server v$VERSION" > release-notes.md fi else echo "⚠️ CHANGELOG.md not found" echo "Release for Grist MCP Server v$VERSION" > release-notes.md fi - name: Create GitHub Release uses: softprops/action-gh-release@v2 with: name: v${{ steps.version.outputs.version }} body_path: release-notes.md files: | grist-mcp-server.mcpb draft: false prerelease: false token: ${{ secrets.GITHUB_TOKEN }} - name: Release summary run: | echo "## 🎉 Release Created Successfully!" echo "" echo "- **Version:** v${{ steps.version.outputs.version }}" echo "- **Tag:** ${{ github.ref_name }}" echo "- **Bundle:** grist-mcp-server.mcpb" echo "" echo "🔗 View release: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }}" # ======================================== # Publish to npm Registry # ======================================== npm-publish: name: Publish to npm runs-on: ubuntu-latest needs: [quality-gates] if: startsWith(github.ref, 'refs/tags/v') permissions: contents: read id-token: write steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://registry.npmjs.org' - run: npm install -g npm@latest - run: npm ci - run: npm run build - run: npm publish --provenance --access public # ======================================== # Publish to MCP Registry # ======================================== mcp-registry-publish: name: Publish to MCP Registry runs-on: ubuntu-latest needs: [npm-publish] if: startsWith(github.ref, 'refs/tags/v') permissions: contents: read id-token: write # Required for OIDC authentication steps: - name: Checkout code uses: actions/checkout@v6 - name: Download mcp-publisher run: | set -euo pipefail curl -fSL "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_linux_amd64.tar.gz" -o mcp-publisher.tar.gz tar xzf mcp-publisher.tar.gz mcp-publisher - name: Authenticate with OIDC run: ./mcp-publisher login github-oidc - name: Publish to MCP Registry run: ./mcp-publisher publish - name: Registry publish summary run: | echo "## 📡 MCP Registry Published!" echo "" echo "Server: io.github.gwhthompson/grist-mcp-server" echo "Registry: https://registry.modelcontextprotocol.io"