github
diff --git a/‎.github/workflows/code-scanning.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/code-scanning.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/docker-publish.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/docker-publish.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/moderator.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/moderator.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/registry-releaser.yml‎
Lines changed: 45 additions & 11 deletions b/‎.github/workflows/registry-releaser.yml‎
Lines changed: 45 additions & 11 deletions
diff --git a/‎Dockerfile‎
Lines changed: 5 additions & 1 deletion b/‎Dockerfile‎
Lines changed: 5 additions & 1 deletion
@@ -38,7 +38,7 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -52,13 +52,13 @@ jobs:
             threat-models: [  ]
       - name: Setup proxy for registries
         id: proxy
-        uses: github/codeql-action/start-proxy@v3
+        uses: github/codeql-action/start-proxy@v4
         with:
           registries_credentials: ${{ secrets.GITHUB_REGISTRIES_PROXY }}
           language: ${{ matrix.language }}
 
       - name: Configure
-        uses: github/codeql-action/resolve-environment@v3
+        uses: github/codeql-action/resolve-environment@v4
         id: resolve-environment
         with:
           language: ${{ matrix.language }}
@@ -70,10 +70,10 @@ jobs:
           cache: false
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         env:
           CODEQL_PROXY_HOST: ${{ steps.proxy.outputs.proxy_host }}
           CODEQL_PROXY_PORT: ${{ steps.proxy.outputs.proxy_port }}
 
@@ -46,7 +46,7 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 #v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0
         with:
           cosign-release: "v2.2.4"
 
@@ -60,7 +60,7 @@ jobs:
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -127,3 +127,4 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+        
@@ -0,0 +1,28 @@
+name: AI Moderator
+on:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  spam-detection:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      models: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/ai-moderator@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          spam-label: 'spam'
+          ai-label: 'ai-generated'
+          minimize-detected-comments: true
+          enable-spam-detection: true
+          enable-link-spam-detection: true
+          enable-ai-detection: true
@@ -16,33 +16,67 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
 
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: "stable"
+        
       - name: Fetch tags
-        run: git fetch --tags
+        run: |
+          if [[ "${{ github.ref_type }}" != "tag" ]]; then
+            git fetch --tags
+          else
+            echo "Skipping tag fetch - already on tag ${{ github.ref_name }}"
+          fi
+
+      - name: Wait for Docker image
+        run: |
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            TAG="${{ github.ref_name }}"
+          else
+            TAG=$(git tag --sort=-version:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+          fi
+          IMAGE="ghcr.io/github/github-mcp-server:$TAG"
+          
+          for i in {1..10}; do
+            if docker manifest inspect "$IMAGE" &>/dev/null; then
+              echo "✅ Docker image ready: $TAG"
+              break
+            fi
+            [ $i -eq 10 ] && { echo "❌ Timeout waiting for $TAG after 5 minutes"; exit 1; }
+            echo "⏳ Waiting for Docker image ($i/10)..."
+            sleep 30
+          done
 
       - name: Install MCP Publisher
         run: |
-          curl -L "https://github.com/modelcontextprotocol/registry/releases/download/v1.0.0/mcp-publisher_1.0.0_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
+          git clone --quiet https://github.com/modelcontextprotocol/registry publisher-repo
+          cd publisher-repo && make publisher > /dev/null && cd ..
+          cp publisher-repo/bin/mcp-publisher . && chmod +x mcp-publisher
 
       - name: Update server.json version
         run: |
           if [[ "${{ github.ref_type }}" == "tag" ]]; then
-            # Use the tag that triggered the workflow
             TAG_VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-            echo "Using triggered tag: ${{ github.ref_name }}"
           else
-            # Fallback to latest tag (for manual triggers)
             LATEST_TAG=$(git tag --sort=-version:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$' | head -n 1)
-            if [ -z "$LATEST_TAG" ]; then
-              echo "❌ No release tag found. Cannot determine version."
-              exit 1
-            fi
+            [ -z "$LATEST_TAG" ] && { echo "No release tag found"; exit 1; }
             TAG_VERSION=$(echo "$LATEST_TAG" | sed 's/^v//')
             echo "Using latest tag: $LATEST_TAG"
           fi
           sed -i "s/\${VERSION}/$TAG_VERSION/g" server.json
-          echo "Updated server.json version to $TAG_VERSION"
+          echo "Version: $TAG_VERSION"
+
+      - name: Validate configuration
+        run: |
+          python3 -m json.tool server.json > /dev/null && echo "Configuration valid" || exit 1
+
+      - name: Display final server.json
+        run: |
+          echo "Final server.json contents:"
+          cat server.json
 
-      - name: Login to MCP Registry
+      - name: Login to MCP Registry (OIDC)
         run: ./mcp-publisher login github-oidc
 
       - name: Publish to MCP Registry
 
@@ -1,4 +1,4 @@
-FROM golang:1.25.1-alpine AS build
+FROM golang:1.25.3-alpine AS build
 ARG VERSION="dev"
 
 # Set the working directory
@@ -18,6 +18,10 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 
 # Make a stage to run the app
 FROM gcr.io/distroless/base-debian12
+
+# Add required MCP server annotation
+LABEL io.modelcontextprotocol.server.name="io.github.github/github-mcp-server"
+
 # Set the working directory
 WORKDIR /server
 # Copy the binary from the build stage