fix(ci): split release.yml into version + publish jobs

[felixweinberger]

Fixes the failed alpha.1 publish (run 23850387096). Two root causes, one architectural change.

Motivation and Context

Bug 1 — publish: input not shell-evaluated. changesets/action passes the publish: string as argv. pnpm run build:all && pnpm changeset publish became pnpm run build:all with extra args &&, pnpm, changeset, publish — which pnpm forwarded to tsdown as entry points:

Cannot resolve entry module &&.
Cannot resolve entry module pnpm.

Never fired before because every previous run was in PR mode. Wrapped in package.json's ci:publish script — single command, no shell operators.

Bug 2 — NPM_TOKEN environment-scoped, job had no environment. The secret lives in the release environment (was used by main.yml's now-deleted publish job). release.yml had no environment: so the secret resolved empty.

Split into two jobs:

• version (ungated): runs changesets/action with no publish: input. Only creates/updates the Version PR. Outputs hasChangesets.
• publish (gated): needs: version, if: hasChangesets == 'false', environment: release. Runs changesets/action with publish: pnpm run ci:publish. Approval prompt fires only when actually publishing.

Feature PRs land → Version PR updates automatically. Merge Version PR → publish job waits for approval → token visible → publishes.

Also enables provenance (id-token: write + NPM_CONFIG_PROVENANCE: 'true').

How Has This Been Tested?

The build path was verified locally on changeset-release/main (pnpm install && pnpm build:all clean). The workflow structure follows the documented changesets/action hasChangesets output pattern.

After this merges: version job runs → hasChangesets: false (versions still bumped from #1420, no new changesets) → publish job → approval prompt → publishes alpha.1.

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

The release environment's required reviewers (if configured at Settings → Environments → release) become the publish approvers.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 61dfbf3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1836

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1836

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1836

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@1836

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1836

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1836

commit: 61dfbf3