Skip to content

Commit 4c212f6

Browse files
rudi193-cmdrudi193-cmd
authored
Merge branch 'main' into fix/1401-client-session-error-propagation
2 parents eeb41ed + 2472563 commit 4c212f6

86 files changed

Lines changed: 14445 additions & 131 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/claude.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,13 @@ jobs:
3030
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3131
with:
3232
fetch-depth: 1
33+
persist-credentials: false
3334

3435
- name: Run Claude Code
3536
id: claude
3637
uses: anthropics/claude-code-action@2f8ba26a219c06cfb0f468eef8d97055fa814f97 # v1.0.53
3738
with:
38-
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
39+
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} # zizmor: ignore[secrets-outside-env]
3940
use_commit_signing: true
4041
additional_permissions: |
4142
actions: read

.github/workflows/comment-on-release.yml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,13 +16,16 @@ jobs:
1616
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1717
with:
1818
fetch-depth: 0
19+
persist-credentials: false
1920

2021
- name: Get previous release
2122
id: previous_release
2223
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
24+
env:
25+
CURRENT_TAG: ${{ github.event.release.tag_name }}
2326
with:
2427
script: |
25-
const currentTag = '${{ github.event.release.tag_name }}';
28+
const currentTag = process.env.CURRENT_TAG;
2629
2730
// Get all releases
2831
const { data: releases } = await github.rest.repos.listReleases({
@@ -54,10 +57,13 @@ jobs:
5457
- name: Get merged PRs between releases
5558
id: get_prs
5659
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
60+
env:
61+
CURRENT_TAG: ${{ github.event.release.tag_name }}
62+
PREVIOUS_TAG_JSON: ${{ steps.previous_release.outputs.result }}
5763
with:
5864
script: |
59-
const currentTag = '${{ github.event.release.tag_name }}';
60-
const previousTag = ${{ steps.previous_release.outputs.result }};
65+
const currentTag = process.env.CURRENT_TAG;
66+
const previousTag = JSON.parse(process.env.PREVIOUS_TAG_JSON);
6167
6268
if (!previousTag) {
6369
console.log('No previous release found, skipping');
@@ -104,11 +110,15 @@ jobs:
104110
105111
- name: Comment on PRs
106112
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
113+
env:
114+
PR_NUMBERS_JSON: ${{ steps.get_prs.outputs.result }}
115+
RELEASE_TAG: ${{ github.event.release.tag_name }}
116+
RELEASE_URL: ${{ github.event.release.html_url }}
107117
with:
108118
script: |
109-
const prNumbers = ${{ steps.get_prs.outputs.result }};
110-
const releaseTag = '${{ github.event.release.tag_name }}';
111-
const releaseUrl = '${{ github.event.release.html_url }}';
119+
const prNumbers = JSON.parse(process.env.PR_NUMBERS_JSON);
120+
const releaseTag = process.env.RELEASE_TAG;
121+
const releaseUrl = process.env.RELEASE_URL;
112122
113123
const comment = `This pull request is included in [${releaseTag}](${releaseUrl})`;
114124

.github/workflows/conformance.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
continue-on-error: true
2020
steps:
2121
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
22+
with:
23+
persist-credentials: false
2224
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
2325
with:
2426
enable-cache: true
@@ -34,6 +36,8 @@ jobs:
3436
continue-on-error: true
3537
steps:
3638
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
39+
with:
40+
persist-credentials: false
3741
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
3842
with:
3943
enable-cache: true

.github/workflows/deploy-docs.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ jobs:
3434

3535
steps:
3636
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
37+
with:
38+
persist-credentials: false
3739

3840
- name: Install uv
3941
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1

.github/workflows/publish-pypi.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,23 @@ on:
44
release:
55
types: [published]
66

7+
permissions:
8+
contents: read
9+
710
jobs:
811
release-build:
912
name: Build distribution
1013
runs-on: ubuntu-latest
1114
needs: [checks]
1215
steps:
1316
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
17+
with:
18+
persist-credentials: false
1419

1520
- name: Install uv
1621
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
1722
with:
18-
enable-cache: true
23+
enable-cache: false
1924
version: 0.9.5
2025

2126
- name: Set up Python 3.12

.github/workflows/shared.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
17+
with:
18+
persist-credentials: false
1719

1820
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
1921
with:
@@ -57,6 +59,8 @@ jobs:
5759

5860
steps:
5961
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
62+
with:
63+
persist-credentials: false
6064

6165
- name: Install uv
6266
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
@@ -83,6 +87,8 @@ jobs:
8387
runs-on: ubuntu-latest
8488
steps:
8589
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
90+
with:
91+
persist-credentials: false
8692

8793
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
8894
with:

.github/workflows/weekly-lockfile-update.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ jobs:
1515
runs-on: ubuntu-latest
1616
steps:
1717
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
with:
19+
persist-credentials: false
1820

1921
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
2022
with:

.github/workflows/zizmor.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
name: GitHub Actions Security Analysis
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["**"]
8+
9+
permissions: {}
10+
11+
jobs:
12+
zizmor:
13+
runs-on: ubuntu-latest
14+
15+
permissions:
16+
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
17+
18+
steps:
19+
- name: Checkout repository
20+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
with:
22+
persist-credentials: false
23+
24+
- name: Run zizmor 🌈
25+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

examples/servers/simple-auth/mcp_simple_auth/auth_server.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ async def introspect_handler(request: Request) -> Response:
120120
"iat": int(time.time()),
121121
"token_type": "Bearer",
122122
"aud": access_token.resource, # RFC 8707 audience claim
123+
"sub": access_token.subject, # RFC 7662 subject
124+
"iss": str(server_settings.server_url),
123125
}
124126
)
125127

examples/servers/simple-auth/mcp_simple_auth/simple_auth_provider.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,6 +181,7 @@ async def handle_simple_callback(self, username: str, password: str, state: str)
181181
scopes=[self.settings.mcp_scope],
182182
code_challenge=code_challenge,
183183
resource=resource, # RFC 8707
184+
subject=username,
184185
)
185186
self.auth_codes[new_code] = auth_code
186187

@@ -219,6 +220,7 @@ async def exchange_authorization_code(
219220
scopes=authorization_code.scopes,
220221
expires_at=int(time.time()) + 3600,
221222
resource=authorization_code.resource, # RFC 8707
223+
subject=authorization_code.subject,
222224
)
223225

224226
# Store user data mapping for this token

0 commit comments

Comments
 (0)