Publish Bundles

Get your MCP server in front of developers. Automatic security scoring, verified provenance, one-command installs.

What you get

Automatic Security Scanning

Every published bundle is scanned with the mpak Trust Framework. 25 controls across 5 domains. Your trust score is computed automatically and visible to all consumers.

Verified provenance

Bundles are signed with GitHub OIDC, so users know exactly where they came from.

Discoverable

Your server appears in mpak search and on the web registry with trust scores displayed.

One-command install

Users install with mpak bundle pull @you/server. No setup, no dependencies.

How it works

Add a manifest.json

Describe your server: name, version, entry point, and runtime. The manifest tells mpak how to package and run your server.

Full manifest reference →

Add the GitHub Action

The mcpb-pack action builds your server into an MCPB bundle, attaches it to your release, and registers it with the registry.

Action documentation →

Create a release

Tag and push. The action builds, scans, scores, and publishes automatically.

terminal

$git tag v1.0.0 && git push --tags

# GitHub Action runs...

✓ Built server-postgres-1.0.0.mcpb

✓ MTF scan: L2 Standard (78/100)

✓ Published to mpak.dev

Ready to publish?

The full guide covers manifest options, multi-platform builds, prereleases, and more.

Read the full publishing guide View mcpb-pack on GitHub