ci: bump mcp-publisher to v1.7.9 to fix OIDC audience 401

[aliasunder]

What

Bump the pinned mcp-publisher version in .github/workflows/publish-registry.yml from v1.7.0 to v1.7.9.

Why

The MCP Registry publish job started failing at the login github-oidc step:

Error: failed to get token: failed to exchange OIDC token: token exchange failed with status 401:
{"title":"Unauthorized","status":401,"detail":"Token exchange failed",
"errors":[{"message":"failed to validate OIDC token: invalid audience:
expected https://registry.modelcontextprotocol.io, got [mcp-registry]"}]}

The hosted registry was patched server-side for CVE-2026-44428 (GitHub OIDC tokens were replayable across registry deployments due to a shared audience). It now requires the OIDC token's audience to be the per-deployment registry URL https://registry.modelcontextprotocol.io, and rejects the old shared mcp-registry audience with a 401.

The matching client fix — "auth: bind GitHub OIDC token exchange to a per-deployment audience" — landed in mcp-publisher v1.7.6. Our pin (v1.7.0) predates it, so the publisher still requests the old audience and gets rejected.

Change

• Pin MCP_PUBLISHER_VERSION to 1.7.9 (latest patch as of writing; floor is v1.7.6).
• Document the v1.7.6 floor + CVE in the workflow comment so the pin can't silently regress below it.

No workflow-shape change needed: login github-oidc takes no new flags; v1.7.6+ derives the audience from the registry automatically.

Note on rollout

A bare re-run of the previously failed release won't pick this up — workflow re-runs use the workflow file from the release commit, which still pins v1.7.0. After this merges to main, a new release (or re-tag) is needed for the publish job to run with v1.7.9.

References

• CVE-2026-44428 — shared-audience OIDC advisory
• modelcontextprotocol/registry releases (v1.7.6 release notes)
• MCP Registry GitHub Actions docs

https://claude.ai/code/session_01WkYCgRpXKdxHU9QKJPuF2w

---

Generated by Claude Code

[coderabbitai]

Warning

Review limit reached

@aliasunder, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 26 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 39c7b07f-eae8-4b03-8b24-6da94de063d3

📥 Commits

Reviewing files that changed from the base of the PR and between df8abb2 and 87e32b9.

📒 Files selected for processing (1)

• .github/workflows/publish-registry.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/vault-bootstrap-setup-YNklM

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}