ci: update MCP login to use DNS and key file

[masnwilliams]

TL;DR

Updates CI authentication to use a private key and DNS for MCP Registry login, replacing the previous OIDC method.

Why we made these changes

This change aligns our publishing workflow with the new standard authentication mechanism for the MCP Registry. The previous github-oidc method is being replaced to streamline and secure access.

What changed?

• .github/workflows/publish-mcp.yml:
  • Switched the MCP Registry login method from github-oidc to dns.
  • Authentication now uses a private key provided via the MCP_PRIVATE_KEY secret.

^{Description generated by Mesa. Update settings}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
mcp	Building	Preview	Comment	Sep 10, 2025 9:41pm

[mesa-dot-dev]

Performed full review of 4d06008...d12f7c0

Tip

⚡ Quick Actions

This review was generated by Mesa.

Actions:

• Configure your agents

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{1 files reviewed | 1 comments | Review on Mesa | Edit Reviewer Settings}

[mesa-dot-dev]

The private key file key.pem should be cleaned up after use to prevent it from remaining on the runner filesystem. Consider adding a cleanup step or using a more secure approach like process substitution: mcp-publisher login dns --domain onkernel.com --private-key-file <(echo "${{ secrets.MCP_PRIVATE_KEY }}")
_{Agent: 🤖 General}