MCPProxy supports automated prerelease builds from the next branch with signed and notarized macOS installers.
mainbranch: Stable releases (hotfixes and production builds)nextbranch: Prerelease builds with latest features
- Go to GitHub Actions
- Click on the latest successful "Prerelease" workflow run
- Scroll to Artifacts section
- Download:
dmg-darwin-arm64(Apple Silicon Macs)dmg-darwin-amd64(Intel Macs)versioned-linux-amd64,versioned-windows-amd64, etc. (other platforms)
# List recent prerelease runs
gh run list --workflow="Prerelease" --limit 5
# Download specific artifacts from a run
gh run download <RUN_ID> --name dmg-darwin-arm64 # Apple Silicon
gh run download <RUN_ID> --name dmg-darwin-amd64 # Intel Mac
gh run download <RUN_ID> --name versioned-linux-amd64 # Linux- Format:
{last_git_tag}-next.{commit_hash} - Example:
v0.8.4-next.5b63e2d - Version embedded in both
mcpproxyandmcpproxy-traybinaries
Release candidates are opt-in, fully-built prereleases published to the GitHub pre-release channel for testers who want to validate an upcoming version before it ships to stable.
- Format: semver
vMAJOR.MINOR.PATCH-rc.N— e.g.v0.37.0-rc.1,v0.37.0-rc.2. - The
-rc.Nsuffix (hyphen + dot before the number) is required. It is what keeps RC tags off the stable channels: the Homebrew, Linux-repo, docs, marketing, MCP-registry, and core build/release jobs inrelease.ymlare gated on!contains(github.ref_name, '-'). - Do not use forms like
v0.37.0.RC1orv0.37.0RC1— without the hyphen they read as stable tags and would bypass those guards.
A v*-rc.* tag runs only prerelease.yml, which mirrors the full stable build matrix:
| Platform | Artifacts | Signing |
|---|---|---|
| macOS (arm64, amd64) | DMG + PKG installers, tar.gz | Apple Developer ID signed and notarized |
| Linux (arm64, amd64) | tar.gz, .deb, .rpm |
— |
| Windows (arm64, amd64) | .zip, installer (.exe) |
Not SignPath-signed (see note below) |
The GitHub release is created with prerelease: true, so it does not become releases/latest.
Windows signing: stable releases are Authenticode-signed via a dedicated SignPath job (
sign-windows) inrelease.yml.prerelease.ymlintentionally omits that step (SignPath signing adds ~1h per arch), so RC Windows installers are unsigned and will trigger a SmartScreen prompt. If signed Windows RCs become a requirement, port thesign-windowsjob intoprerelease.yml.
- Not published to Homebrew (
update-homebrewguarded). - Not published to the Linux apt/rpm repos (
publish-linux-reposguarded). - Not published to the official MCP registry (
mcp-registryguarded). - Does not deploy docs or trigger marketing automation (
deploy-docs,trigger-marketing-updateguarded). - Not offered as an update on stable channels:
- The macOS tray uses GitHub
releases/latest, which excludes prereleases (native/macos/MCPProxy/MCPProxy/Services/UpdateService.swift), plus a semver downgrade guard so an-rcis never treated as "newer" than the matching stable. - The backend/tray update check is stable-only by default (
internal/tray/tray.go→releases/latest). SetMCPPROXY_ALLOW_PRERELEASE_UPDATES=trueto opt in to RC update offers; the core checker can also opt in via"update_check": { "channel": "rc" }inmcp_config.json(Spec 079 — the Go tray's own self-update check gates on the core's decision by queryingGET /api/v1/inforather than reading the config file, and selects prereleases viaMCPPROXY_ALLOW_PRERELEASE_UPDATES; converging it fully onto the shared checker is FR-001a).
- The macOS tray uses GitHub
Download the assets directly from the pre-release on the Releases page, or with the CLI:
gh release list --repo smart-mcp-proxy/mcpproxy-go # pre-releases are tagged "Pre-release"
gh release download v0.37.0-rc.1 --repo smart-mcp-proxy/mcpproxy-go- macOS DMG installers: Signed with Apple Developer ID and notarized
- Code signing: All macOS binaries are signed for Gatekeeper compatibility
- Automatic quarantine protection: New servers are quarantined by default
- Prerelease workflow (
prerelease.yml): Triggered onnextbranch pushes and onv*-rc.*/v*-next.*tags. Publishes a GitHub pre-release. - Release workflow (
release.yml): Triggered onv*tags, but every job is gated on!contains(github.ref_name, '-')so RC/prerelease tags are skipped — av*-rc.*tag therefore fires onlyprerelease.yml, never the stable release pipeline. - Unit Tests: Run on all branches with comprehensive test coverage
- Frontend CI: Validates web UI components and build process