Publishing MCP Bundles

This guide walks you through publishing an MCP server to the mpak registry.

What You’ll Need

1. An MCP server (Python, Node.js, or compiled binary)
2. A GitHub repository
3. A manifest.json describing your server

Quick Overview

1. Add manifest.json

   Create a manifest describing your server

2. Add GitHub Action

   Use the mcpb-pack action to build and publish

3. Create a Release

   Tag and release on GitHub

4. Done

   Your bundle is live on mpak.dev

Example Repository Structure

Python Server

my-mcp-server/
├── manifest.json          # Required: bundle metadata
├── pyproject.toml         # Python dependencies
└── src/
    └── my_server/
        ├── __init__.py
        └── server.py      # MCP server with if __name__ == "__main__"

Node.js Server

my-mcp-server/
├── manifest.json          # Required: bundle metadata
├── package.json           # Node dependencies
├── tsconfig.json
└── src/
    └── index.ts           # MCP server entry point

Binary Server (Go/Rust)

my-mcp-server/
├── manifest.json          # Required: bundle metadata
├── go.mod
└── cmd/
    └── server/
        └── main.go        # Binary entry point

The Minimal Workflow

Add this to .github/workflows/release.yml:

name: Release
on:
  release:
    types: [published]

permissions:
  contents: write
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: NimbleBrainInc/mcpb-pack@v2

When you publish a GitHub release, this will:

1. Vendor all dependencies into the bundle
2. Build a .mcpb file
3. Upload it to your release
4. Register it with mpak.dev

Security Scanning

Every bundle published to mpak is automatically scanned against the mpak Trust Framework. Your bundle receives a certification level (L1-L4) based on which controls pass.

Tip

Run the scanner locally before publishing to catch issues early:

pip install mpak-scanner
mpak-scanner scan .

Most well-structured servers achieve L1 (Basic) or L2 (Standard) automatically. Common issues that block certification:

Issue	Fix
Embedded secrets	Move to environment variables
Floating dependency versions	Add a lock file
Missing tool descriptions	Add descriptions to all tools

See Scanning Your Bundle for detailed remediation guidance.

Package Naming

Package names must be scoped to your GitHub organization or username:

GitHub Owner	Package Name
NimbleBrainInc	@nimblebraininc/your-server
johndoe	@johndoe/your-server

The registry verifies this via OIDC, so you can only publish to scopes you own.

README Badges

Once published, you can add badges to your README to show your package is on mpak:

[![mpak](https://registry.mpak.dev/v1/bundles/@yourorg/your-server/badge.svg)](https://mpak.dev/packages/@yourorg/your-server)

Available badge types:

Type	URL	Shows
Version (default)	.../badge.svg	Latest version
Certification	.../badge.svg?type=certification	Security level (L1-L4)
Downloads	.../badge.svg?type=downloads	Total downloads
Runtime	.../badge.svg?type=runtime	Server runtime (python/node)

You can also copy badge markdown directly from your package page on mpak.dev.

Next Steps

Certification Understand security levels and controls

Manifest Reference Full manifest.json documentation

GitHub Action Complete action configuration

User Configuration Handle API keys and secrets

Resources

• MCPB Specification - Bundle format specification
• MCP Protocol - Model Context Protocol docs
• mcpb-pack Action - GitHub Action source