Mcp oauth config changes (AST-160267)#1520
Open
cx-aniket-shinde wants to merge 10 commits into
Open
Conversation
cx-rahul-pidde
approved these changes
Jul 10, 2026
Update .npmrc to use ECHO_LIBRARIES_ACCESS_KEY environment variable for authenticating with Echo registry (npm.echohq.com and packages.echohq.com). Add ECHO_LIBRARIES_ACCESS_KEY to CI workflows for install steps. Update dependencies: js-yaml to 4.3.0, brace-expansion to latest. Bump checkmarx extension to v2.69.0.
Contributor
Security Policy Alert: Secret Policy ViolationThis workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch. Secret references detected:
To approve this workflow, please add the Note: The label must be added by someone other than the PR author (cx-atish-jadhav) or automation bots to ensure proper security review. After the label is added, you can re-run the blocked workflow to proceed. This workflow will be automatically approved once merged into the default branch. For more information, see StepSecurity's Secret Exfiltration Policy documentation. |
Add a new GitHub Actions job to run Zizmor scans on PRs and centralize npm authentication for the Echo registries. Update ci-linux, release and update-cli-version workflows to authenticate against npm.echohq.com / packages.echohq.com in addition to the GitHub registry. Remove deprecated workflows: auto-merge, issue_automation and pr-label. These changes integrate the internal Echo npm registry and add repository action scanning while removing outdated automation.
secrets.GH_TOKEN doesn't exist in this repo, causing empty auth tokens and 401s when fetching @checkmarx-scoped packages from npm.pkg.github.com. Switch to the built-in github.token (already used successfully in release.yml) and add packages: read permission where missing.
The lockfile's resolved/integrity hash for @checkmarx/ast-cli-javascript-wrapper@0.0.159 was stale relative to the currently published content on npm.pkg.github.com, causing npm ci to fail with a 409 checksum mismatch in CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.