From 8d58fe264c179892915d3af0045095db295bb038 Mon Sep 17 00:00:00 2001
From: Max Isbey <224885523+maxisbey@users.noreply.github.com>
Date: Fri, 26 Jun 2026 14:16:58 +0000
Subject: [PATCH 1/2] Pin conformance harness by commit SHA (ed314a73) instead
 of PR number

conformance#371 received a second commit (description-only reword in
http-custom-headers), which caused pkg.pr.new to rebuild the @371 tarball
and break the SHA256 check. Pin by commit SHA so further pushes to the PR
cannot move the tarball under us; CONFORMANCE_PKG_SHA256 still verifies
the bytes.
---
 .github/workflows/conformance.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index e68991e47..af57ba7a5 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -21,13 +21,14 @@ env:
   #
   # Temporarily pinned to the pkg.pr.new preview build of conformance#371, which
   # fixes the http-custom-headers fixture's spec-forbidden `number`-typed
-  # x-mcp-header annotations. Because this is a mutable URL (not a registry
-  # spec), CONFORMANCE_PKG_SHA256 pins the tarball and the fetch-and-verify step
-  # below downloads, checks the digest, and repoints CONFORMANCE_PKG at the
-  # verified local copy. Repin to the published release that includes #371 once
-  # it ships, then drop CONFORMANCE_PKG_SHA256 and the fetch-and-verify steps.
-  CONFORMANCE_PKG: "https://pkg.pr.new/@modelcontextprotocol/conformance@371"
-  CONFORMANCE_PKG_SHA256: "9d8b25874d55e304b006cbaa066571773582f5828143c53a2b8a6830f203ca1d"
+  # x-mcp-header annotations. Pinned by commit SHA (not PR number) so a new push
+  # to #371 cannot silently change the tarball; CONFORMANCE_PKG_SHA256 then pins
+  # the bytes and the fetch-and-verify step below downloads, checks the digest,
+  # and repoints CONFORMANCE_PKG at the verified local copy. Repin to the
+  # published release that includes #371 once it ships, then drop
+  # CONFORMANCE_PKG_SHA256 and the fetch-and-verify steps.
+  CONFORMANCE_PKG: "https://pkg.pr.new/@modelcontextprotocol/conformance@ed314a73"
+  CONFORMANCE_PKG_SHA256: "e9f6bc25085b4692e988cbdbd024a4203d54a52a6aaa065376cf8ecaa09bb680"
 
 jobs:
   server-conformance:

From b6f1f9680b5105b52f8aed6fab0e5e5f58d19460 Mon Sep 17 00:00:00 2001
From: Max Isbey <224885523+maxisbey@users.noreply.github.com>
Date: Fri, 26 Jun 2026 14:54:49 +0000
Subject: [PATCH 2/2] Repin to conformance main@b18aa918 (merge of #371)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

conformance#371 has merged. Switch the pkg.pr.new pin from the PR-branch
commit (ed314a73) to the merge commit on main (b18aa918) — same tarball
bytes (SHA256 unchanged), but durable against PR-branch deletion. No
published @modelcontextprotocol/conformance release includes #371 yet
(latest is 0.2.0-alpha.7, cut before the merge), so the pkg.pr.new +
SHA256 verify machinery stays for now.
---
 .github/workflows/conformance.yml | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index af57ba7a5..c73c1e2db 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -19,15 +19,16 @@ env:
   # Bump deliberately and reconcile both
   # .github/actions/conformance/expected-failures*.yml files in the same change.
   #
-  # Temporarily pinned to the pkg.pr.new preview build of conformance#371, which
-  # fixes the http-custom-headers fixture's spec-forbidden `number`-typed
-  # x-mcp-header annotations. Pinned by commit SHA (not PR number) so a new push
-  # to #371 cannot silently change the tarball; CONFORMANCE_PKG_SHA256 then pins
-  # the bytes and the fetch-and-verify step below downloads, checks the digest,
-  # and repoints CONFORMANCE_PKG at the verified local copy. Repin to the
-  # published release that includes #371 once it ships, then drop
+  # Temporarily pinned to the pkg.pr.new build of conformance main@b18aa918
+  # (the merge of #371, which fixes the http-custom-headers fixture's
+  # spec-forbidden `number`-typed x-mcp-header annotations) — no published
+  # release includes it yet. Pinned by commit SHA so the tarball cannot move
+  # under us; CONFORMANCE_PKG_SHA256 pins the bytes and the fetch-and-verify
+  # step below downloads, checks the digest, and repoints CONFORMANCE_PKG at the
+  # verified local copy. Repin to the next published @modelcontextprotocol/
+  # conformance release (>0.2.0-alpha.7) once it ships, then drop
   # CONFORMANCE_PKG_SHA256 and the fetch-and-verify steps.
-  CONFORMANCE_PKG: "https://pkg.pr.new/@modelcontextprotocol/conformance@ed314a73"
+  CONFORMANCE_PKG: "https://pkg.pr.new/@modelcontextprotocol/conformance@b18aa918"
   CONFORMANCE_PKG_SHA256: "e9f6bc25085b4692e988cbdbd024a4203d54a52a6aaa065376cf8ecaa09bb680"
 
 jobs: