Skip to content

v0.5.0 — Container image + Helm chart

Choose a tag to compare

View all tags
@nalyk nalyk released this 04 May 13:42
· 63 commits to main since this release
v0.5.0
b70a95e

A packaging and operations release. No runtime behavior changes — the server behaves identically to 0.4.0 for its consumers. This release ships the deployment substrate and CI/CD pipeline for distributing the server as a container image and Helm chart on ghcr.io.

🐳 Container

  • Multi-stage Dockerfile (node:24-alpine), non-root execution as uid 1000
  • Compatible with readOnlyRootFilesystem: true (writable /tmp only)
  • Drop-ALL capabilities, seccompProfile: RuntimeDefault
docker run -e GITLAB_PERSONAL_ACCESS_TOKEN=glpat-xxx -p 3000:3000 \
  ghcr.io/yoda-digital/mcp-gitlab-server:0.5.0

⛵ Helm chart

Production-ready chart with five fail-loud guards that catch operator footguns at helm template time rather than at apply / runtime:

  1. Empty GITLAB_PERSONAL_ACCESS_TOKEN in PAT mode without existingSecret
  2. Both existingSecret AND inline secret.GITLAB_PERSONAL_ACCESS_TOKEN set (silent precedence trap)
  3. PDB minAvailable >= replicaCount (drain deadlock)
  4. PDB both minAvailable AND maxUnavailable set (K8s rejects at apply time)
  5. Invalid AUTH_MODE value (server-side, exits with clear message)
helm install gitlab-mcp oci://ghcr.io/yoda-digital/charts/gitlab-mcp \
  --version 0.5.0 \
  --set secret.GITLAB_PERSONAL_ACCESS_TOKEN=glpat-xxx

All v0.4.0 transport env vars wired in values.yaml: AUTH_MODE, USE_STREAMABLE_HTTP, CORS_ALLOW_ORIGINS, HEALTHZ_MAX_SESSIONS.

🛠️ Build & Publish workflow

.github/workflows/build.yml — three-job pipeline with release-discriminated CI:

  • validate (every PR + push): hadolint, helm lint, helm template smoke test. Now in the branch-protection required-checks list.
  • docker (push to main + tags): docker/metadata-action@v5sha-<short> on main, <semver> + :latest on tag pushes only.
  • helm (tag pushes only): helm package --version + OCI push to ghcr.io. Chart version mutation via yq with post-mutation assertion.

🔐 Provenance

The npm package continues to ship via OIDC Trusted Publishing with Sigstore SLSA v1 provenance. Verify with:

npm view @yoda.digital/gitlab-mcp-server@0.5.0 dist.attestations

👏 Credits

  • Implementation: @ecthelion77 (Olivier Gintrand)
  • Maintainer rebase + additional guards: @nalyk
  • Reviewed via #29 → merged via #44

Full notes: CHANGELOG.md.

Assets 2
Loading