debug: add environment diagnostics to build job

- Add .gitea/workflows/release.yml for Gitea builds
  - Uses plain docker commands (no action dependencies)
  - Pushes to git.prettyhefty.com registry
- Simplify .github/workflows/build.yaml for GitHub only
  - Remove Gitea detection logic
  - Only push latest tag for non-prerelease versions

.gitea/workflows/release.yml

@@ -0,0 +1,60 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  REGISTRY: git.prettyhefty.com
+  IMAGE_NAME: bill/grist-mcp
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run tests
+        run: echo "Tests would run here"
+
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Debug environment
+        run: |
+          echo "PATH: $PATH"
+          echo "Which docker: $(which docker || echo 'not found')"
+          echo "Docker version: $(docker --version || echo 'docker not available')"
+          ls -la /usr/bin/docker || echo "/usr/bin/docker not found"
+          ls -la /var/run/docker.sock || echo "docker.sock not found"
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          if [[ "$VERSION" == *-alpha* ]] || [[ "$VERSION" == *-beta* ]] || [[ "$VERSION" == *-rc* ]]; then
+            echo "IS_PRERELEASE=true" >> $GITHUB_OUTPUT
+          else
+            echo "IS_PRERELEASE=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Log in to Container Registry
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ gitea.actor }} --password-stdin
+
+      - name: Build and push Docker image
+        run: |
+          docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} .
+          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}
+
+          if [ "${{ steps.version.outputs.IS_PRERELEASE }}" = "false" ]; then
+            docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          fi
+
+      - name: List images
+        run: docker images | grep grist-mcp

.github/workflows/build.yaml

@@ -6,7 +6,8 @@ on:
       - 'v*.*.*'
 
 env:
-  IMAGE_NAME: grist-mcp
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   build:
@@ -19,53 +20,27 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
+      - name: Log in to Container Registry
-        uses: docker/setup-buildx-action@v3
-
-      - name: Determine registry
-        id: registry
-        run: |
-          if [ "${{ vars.GITEA_ACTIONS }}" = "true" ]; then
-            # Gitea: use server URL as registry
-            REGISTRY="${{ github.server_url }}"
-            REGISTRY="${REGISTRY#https://}"
-            REGISTRY="${REGISTRY#http://}"
-            echo "registry=${REGISTRY}" >> $GITHUB_OUTPUT
-            echo "is_gitea=true" >> $GITHUB_OUTPUT
-          else
-            # GitHub: use GHCR
-            echo "registry=ghcr.io" >> $GITHUB_OUTPUT
-            echo "is_gitea=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Log in to GitHub Container Registry
-        if: steps.registry.outputs.is_gitea == 'false'
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Gitea Container Registry
+      - name: Extract metadata for Docker
-        if: steps.registry.outputs.is_gitea == 'true'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ steps.registry.outputs.registry }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Extract metadata (tags, labels)
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ steps.registry.outputs.registry }}/${{ github.repository }}
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
+            type=raw,value=latest,enable=${{ !contains(github.ref, '-alpha') && !contains(github.ref, '-beta') && !contains(github.ref, '-rc') }}
-            type=raw,value=latest
 
-      - name: Build and push
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .

CHANGELOG.md

@@ -0,0 +1,62 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2026-01-01
+
+Initial release of grist-mcp, an MCP server for AI agents to interact with Grist spreadsheets.
+
+### Added
+
+#### Core Features
+- **MCP Server**: Full Model Context Protocol implementation with SSE transport
+- **Token-based Authentication**: Secure agent authentication via `GRIST_MCP_TOKEN`
+- **Granular Permissions**: Per-document access control with `read`, `write`, and `schema` scopes
+- **Multi-tenant Support**: Configure multiple Grist instances and documents
+
+#### Discovery Tools
+- `list_documents`: List accessible documents with their permissions
+
+#### Read Tools
+- `list_tables`: List all tables in a document
+- `describe_table`: Get column metadata (id, type, formula)
+- `get_records`: Fetch records with optional filter, sort, and limit
+- `sql_query`: Execute read-only SELECT queries
+
+#### Write Tools
+- `add_records`: Insert new records into a table
+- `update_records`: Modify existing records by ID
+- `delete_records`: Remove records by ID
+
+#### Schema Tools
+- `create_table`: Create new tables with column definitions
+- `add_column`: Add columns to existing tables
+- `modify_column`: Change column type or formula
+- `delete_column`: Remove columns from tables
+
+#### Infrastructure
+- **Docker Support**: Multi-stage Dockerfile with non-root user
+- **Docker Compose**: Ready-to-deploy configuration with environment variables
+- **Health Endpoint**: `/health` for container orchestration readiness checks
+- **SSE Transport**: Server-Sent Events for MCP client communication
+- **Environment Variable Substitution**: `${VAR}` syntax in config files
+
+#### Testing
+- **Unit Tests**: Comprehensive coverage with pytest-httpx mocking
+- **Integration Tests**: Docker-based tests with ephemeral containers
+- **Rich Test Runner**: Progress display for test execution
+- **Test Isolation**: Dynamic port discovery for parallel test runs
+
+#### Developer Experience
+- **Makefile**: Commands for testing, building, and deployment
+- **Dev Environment**: Docker Compose setup for local development
+- **MCP Config Display**: Startup message with client configuration snippet
+
+### Security
+- SQL injection prevention with SELECT-only query validation
+- API key isolation per document
+- Token validation at startup (no runtime exposure)
+- Non-root container execution

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "grist-mcp"
-version = "0.1.0"
+version = "1.0.0"
 description = "MCP server for AI agents to interact with Grist documents"
 requires-python = ">=3.14"
 dependencies = [