Continuous Integration
Detailed guide to using MCPTrust in CI/CD pipelines.
GitHub Action
Installation:
- uses: mcptrust/mcptrust/.github/actions/mcptrust@v0.1.1
with:
mode: check # or lock
server_command: 'npx -y @scope/server /tmp'Action Inputs Reference
| Input | Default | Description |
|---|---|---|
mode | check | lock or check |
server_command | - | Shell command (or use server_argv) |
server_argv | - | Multiline argv (safer for special chars) |
lockfile | mcp-lock.json | Path to lockfile |
preset | baseline | Policy preset |
pin | true | Pin artifact in lock mode |
verify_provenance | false | Verify SLSA in lock mode |
install_ref | main | Git ref for mcptrust install |
report | step_summary | Reporting: step_summary, pr_comment, both, none |
redact | false | Redact hashes/URIs in reports |
upload_artifacts | true | Upload check.json and summary.md |
receipt | - | Path to write execution receipt |
install_method | go-install | go-install, release, or build |
mcptrust_bin | - | Path to pre-built binary (skips install) |
Security Features
- Checksum Verification: When downloading releases, the action enforces strict SHA256 verification (fail-closed).
- Fork Protection: PR comments are automatically disabled on PRs from forks to prevent token leakage or spam.
Example Workflows
PR Check (Drift Detection)
name: MCPTrust Check
on: [pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: mcptrust/mcptrust/.github/actions/mcptrust@v0.1.1
with:
mode: check
server_command: 'npx -y @modelcontextprotocol/server-filesystem /tmp'
preset: strictLock with Signing (Sigstore)
name: Lock and Sign
on:
push:
branches: [main]
permissions:
id-token: write
contents: write
jobs:
lock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: sigstore/cosign-installer@v3
- uses: mcptrust/mcptrust/.github/actions/mcptrust@v0.1.1
with:
mode: lock
server_command: 'npx -y @scope/server'
pin: 'true'
verify_provenance: 'true'
- run: mcptrust sign --sigstore
- run: |
git add mcp-lock.json mcp-lock.json.sig
git commit -m "chore: update lockfile [skip ci]"
git push