You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Get everything that changed for TypeScript in the last two failed release attempts onto npm — without touching the repo (no workflow edits, no new tags, no new versions, no empty catch-up releases). Pure operations: re-run the publish step of the existing release.yml runs.
A re-run of a release.yml run is a release.yml execution in the release environment, so it matches what npm's trusted-publisher config expects the publish to come from. Pipeline rebuild work is tracked separately in #4463 and is deliberately out of scope here.
¹ Known quirk: the tag says 2026.6.3 but the packages inside are stamped 2026.6.4 (approval wait crossed midnight UTC between version generation and stamping). Harmless here; fix tracked in #4463.
Root cause of the failures:npm error code E404 on the publish PUT — npm's disguised auth failure. The NPM_TOKEN secret is dead. Everything else (checkout of the tag, build, version guard) passed.
⚠️ Deadline
GitHub's re-run window is 30 days from run creation. For the June 3 run that is TODAY, July 3 (~11:42 UTC). Do step 3 immediately, even before the rest is fully tidy. The June 16 run has until ~July 16.
If the June 3 window has already closed (the re-run option disappears), its four packages cannot be recovered at 2026.6.4 — their changes reach npm with the next real release (see #4463, Option B). The June 16 run still covers everything's newest changes.
Why this works (and the one auth nuance)
gh run rerun --failed re-runs only the failed matrix legs (fail-fast: false), checked out at the original version tag — it publishes exactly the tagged code.
Partial success is fine and durable. Legs are independent: if the token can publish only some packages, those publish and stay published; a later rerun --failed re-runs only the still-failed legs (each rerun needs a fresh environment approval). ⚠️ But the 30-day rerun clock runs from the original run and is not reset by reruns — for the June 3 run, any re-attempt must also happen before the window closes.
Re-runs execute the original workflow snapshot, which authenticates with NODE_AUTH_TOKEN — but secrets are re-read at re-run time. So a refreshed NPM_TOKEN is picked up with zero repo changes.
Token auth is the only path these reruns can take. Trusted publishing is client-initiated (npm CLI mints and exchanges an OIDC token), and the old snapshot can't do that: no id-token: write permission and an npm CLI too old for trusted publishing. An expired/insufficient token is simply rejected by the registry (the disguised E404) — it neither falls back to OIDC nor interferes with it. The failed leg stays rerunnable.
The npm trusted-publisher (OIDC) config does not block token publishes unless "disallow tokens / require trusted publisher" is enabled in each package's publishing-access settings. Leave that switch off until this recovery is done, then flip it.
Steps
Provision a temporary token. Create a granular npm automation token with publish permission on @modelcontextprotocol/server-everything, server-memory, server-filesystem, server-sequential-thinking. Update the NPM_TOKEN secret wherever it lives (check both repo Settings → Secrets → Actions and the release environment secrets).
Confirm token publishing is still allowed on those four packages (npm package Settings → Publishing access). Don't restrict to trusted-publisher-only yet.
June 3 run — do this first (deadline today, and publishing order keeps latest correct):
Open run 26882432128 → Review pending deployments → reject the waiting create-release deployment so the run completes.
gh run rerun 26882432128 --failed --repo modelcontextprotocol/servers
Approve the release environment deployment when the re-run requests it.
Expect: 4 npm legs publish at 2026.6.4; create-release then creates GitHub release 2026.6.3.
June 16 run — same procedure on run 27626321345: reject pending create-release → gh run rerun 27626321345 --failed → approve → expect everything@2026.6.16 + GitHub release 2026.6.16.
(Ordering matters: publishing 2026.6.4after2026.6.16 would move everything's latest dist-tag backwards.)
Goal
Get everything that changed for TypeScript in the last two failed release attempts onto npm — without touching the repo (no workflow edits, no new tags, no new versions, no empty catch-up releases). Pure operations: re-run the publish step of the existing
release.ymlruns.A re-run of a
release.ymlrun is arelease.ymlexecution in thereleaseenvironment, so it matches what npm's trusted-publisher config expects the publish to come from. Pipeline rebuild work is tracked separately in #4463 and is deliberately out of scope here.What's stranded
2026.6.4(tag2026.6.3)¹everything,memory,filesystem,sequential-thinkingfetch,time,git2026.6.16everythinggit¹ Known quirk: the tag says
2026.6.3but the packages inside are stamped2026.6.4(approval wait crossed midnight UTC between version generation and stamping). Harmless here; fix tracked in #4463.Root cause of the failures:
npm error code E404on the publish PUT — npm's disguised auth failure. TheNPM_TOKENsecret is dead. Everything else (checkout of the tag, build, version guard) passed.GitHub's re-run window is 30 days from run creation. For the June 3 run that is TODAY, July 3 (~11:42 UTC). Do step 3 immediately, even before the rest is fully tidy. The June 16 run has until ~July 16.
If the June 3 window has already closed (the re-run option disappears), its four packages cannot be recovered at
2026.6.4— their changes reach npm with the next real release (see #4463, Option B). The June 16 run still coverseverything's newest changes.Why this works (and the one auth nuance)
gh run rerun --failedre-runs only the failed matrix legs (fail-fast: false), checked out at the original version tag — it publishes exactly the tagged code.rerun --failedre-runs only the still-failed legs (each rerun needs a fresh environment approval).NODE_AUTH_TOKEN— but secrets are re-read at re-run time. So a refreshedNPM_TOKENis picked up with zero repo changes.id-token: writepermission and an npm CLI too old for trusted publishing. An expired/insufficient token is simply rejected by the registry (the disguisedE404) — it neither falls back to OIDC nor interferes with it. The failed leg stays rerunnable.Steps
Provision a temporary token. Create a granular npm automation token with publish permission on
@modelcontextprotocol/server-everything,server-memory,server-filesystem,server-sequential-thinking. Update theNPM_TOKENsecret wherever it lives (check both repo Settings → Secrets → Actions and thereleaseenvironment secrets).Confirm token publishing is still allowed on those four packages (npm package Settings → Publishing access). Don't restrict to trusted-publisher-only yet.
June 3 run — do this first (deadline today, and publishing order keeps
latestcorrect):create-releasedeployment so the run completes.gh run rerun 26882432128 --failed --repo modelcontextprotocol/serversreleaseenvironment deployment when the re-run requests it.2026.6.4;create-releasethen creates GitHub release2026.6.3.June 16 run — same procedure on run 27626321345: reject pending
create-release→gh run rerun 27626321345 --failed→ approve → expecteverything@2026.6.16+ GitHub release2026.6.16.(Ordering matters: publishing
2026.6.4after2026.6.16would moveeverything'slatestdist-tag backwards.)Verify:
Expected: all four at
2026.6.4;everythingat2026.6.16withlatest = 2026.6.16.Clean up: revoke the temporary token, delete/rotate the
NPM_TOKENsecret, and only then enable trusted-publisher-only publishing on the packages. Future publishes go through OIDC (workflow changes for that: v2 release pipeline, Phase 1: OIDC trusted publishing — ✅ complete (validation release 2026.7.4) #4463).What NOT to do
npm publishfrom a laptop — wrong provenance, breaks the trust posture.