celo-org · alvarof2 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -41,7 +41,7 @@ permissions:
 
 jobs:
   publish:
-    runs-on: ['self-hosted', 'org', 'npm-publish']
+    runs-on: ubuntu-latest
     permissions:
       contents: write
       id-token: write
@@ -51,20 +51,11 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: Akeyless Get Secrets
-        id: get_auth_token
-        uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest
-        with:
-          api-url: https://api.gateway.akeyless.celo-networks-dev.org
-          access-id: p-kf9vjzruht6l
-          static-secrets: '{"/static-secrets/NPM/npm-publish-token":"NPM_TOKEN"}'
 
       # Setup .npmrc file to publish to npm
       - uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
-          registry-url: 'https://registry.npmjs.org'
-          #scope: '@celo'
+          node-version: '20.x'
 
       - name: 'Setup yarn'
         shell: bash
@@ -101,6 +92,28 @@ jobs:
       - name: 'Get git commit hash'
         id: get_COMMIT_HASH
         run: echo "COMMIT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: Update npm for OIDC trusted publishing (v11.5.1)
+        run: npm install -g npm@11.5.1
+
+      # Fallback: ensure package.json has version (prepare script may not persist in CI)
+      - name: Ensure package.json has version
+        run: |
+          for pkg in packages/protocol/contracts packages/protocol/abis; do
+            node -e "
+              const fs = require('fs');
+              const pkgPath = process.argv[1] + '/package.json';
+              const pkg = JSON.parse(fs.readFileSync(pkgPath));
+              if (!pkg.version) {
+                pkg.version = process.env.RELEASE_VERSION || '0.0.0-dry-run';
+                pkg.private = false;
+                fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2));
+              }
+            " "$pkg"
+          done
+        env:
+          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
+
       - name: Publish @celo/contracts
         run: |
           cat package.json
@@ -110,12 +123,11 @@ jobs:
             echo "Dry run mode, exiting successfully."
             exit 0
           fi
-          npm dist-tag add @celo/contracts@$RELEASE_VERSION $COMMIT_HASH              
+          # npm dist-tag add @celo/contracts@$RELEASE_VERSION $COMMIT_HASH
         working-directory: packages/protocol/contracts
         env:
           RELEASE_TYPE: --tag ${{ env.RELEASE_TYPE != '' && env.RELEASE_TYPE || 'canary' }}
           RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
-          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
           DRY_RUN: ${{ env.RELEASE_VERSION == '' && '--dry-run' || '' }}
           COMMIT_HASH: ${{ env.COMMIT_HASH }}
 
@@ -128,11 +140,10 @@ jobs:
             echo "Dry run mode, exiting successfully."
             exit 0
           fi
-          npm dist-tag add @celo/abis@$RELEASE_VERSION $COMMIT_HASH          
+          # npm dist-tag add @celo/abis@$RELEASE_VERSION $COMMIT_HASH          
         working-directory: packages/protocol/abis
         env:
           RELEASE_TYPE: --tag ${{ env.RELEASE_TYPE != '' && env.RELEASE_TYPE || 'canary' }}
           RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
-          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
           DRY_RUN: ${{ env.RELEASE_VERSION == '' && '--dry-run' || '' }}
           COMMIT_HASH: ${{ env.COMMIT_HASH }}
@@ -18,6 +18,11 @@
     "./dist",
     "!**/*.js.map"
   ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/",
+    "provenance": true
+  },
   "exports": {
     ".": {
       "import": "./dist/esm/index.js",

@@ -8,6 +8,11 @@
     "url": "https://github.com/celo-org/celo-monorepo.git",
     "directory": "packages/protocol/contracts"
   },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/",
+    "provenance": true
+  },
   "scripts": {},
   "dependencies": {}
 }
@@ -13,7 +13,7 @@ import {
   BuildTarget,
   CONTRACTS_08_PACKAGE_DESTINATION_DIR,
   CONTRACTS_08_SOURCE_DIR,
-  CONTRACTS_PACKAGE_SRC_DIR,
+  // CONTRACTS_PACKAGE_SRC_DIR - unused: we use process.cwd() for correct path resolution in CI
   PublishContracts,
   TSCONFIG_PATH,
 } from './consts'
@@ -260,38 +260,41 @@ function processRawJsonsAndPrepareExports() {
   return exports
 }
 
+const DRY_RUN_VERSION = '0.0.0-dry-run'
+
 function prepareAbisPackageJson(exports: Exports) {
   log('Preparing @celo/abis package.json')
-  const packageJsonPath = path.join(ABIS_PACKAGE_SRC_DIR, 'package.json')
+  // Use process.cwd() so paths are correct when run with working-directory: packages/protocol (e.g. in CI)
+  const packageJsonPath = path.resolve(process.cwd(), 'abis', 'package.json')
 
+  const version = process.env.RELEASE_VERSION || DRY_RUN_VERSION
   if (process.env.RELEASE_VERSION) {
-    log('Replacing @celo/abis version with RELEASE_VERSION)')
-
-    replacePackageVersionAndMakePublic(packageJsonPath, (json) => {
-      log('Setting @celo/abis exports')
-      json.exports = exports
-    })
-
-    return
+    log('Replacing @celo/abis version with RELEASE_VERSION')
+  } else {
+    log(`Using placeholder version ${DRY_RUN_VERSION} for dry run`)
   }
 
-  log('Skipping @celo/abis package.json preparation (no RELEASE_VERSION provided)')
+  replacePackageVersionAndMakePublic(packageJsonPath, version, (json) => {
+    log('Setting @celo/abis exports')
+    json.exports = exports
+  })
 }
 
 function prepareContractsPackage() {
   const contracts08CpCommand = `cp -r ${CONTRACTS_08_SOURCE_DIR} ${CONTRACTS_08_PACKAGE_DESTINATION_DIR}`
   log(contracts08CpCommand)
   child_process.execSync(contracts08CpCommand)
 
+  const version = process.env.RELEASE_VERSION || DRY_RUN_VERSION
   if (process.env.RELEASE_VERSION) {
-    log('Replacing @celo/contracts version with RELEASE_VERSION)')
-    const packageJsonPath = path.join(CONTRACTS_PACKAGE_SRC_DIR, 'package.json')
-    replacePackageVersionAndMakePublic(packageJsonPath)
-
-    return
+    log('Replacing @celo/contracts version with RELEASE_VERSION')
+  } else {
+    log(`Using placeholder version ${DRY_RUN_VERSION} for dry run`)
   }
 
-  log('Skipping @celo/contracts package.json preparation (no RELEASE_VERSION provided)')
+  // Use process.cwd() so paths are correct when run with working-directory: packages/protocol (e.g. in CI)
+  const packageJsonPath = path.resolve(process.cwd(), 'contracts', 'package.json')
+  replacePackageVersionAndMakePublic(packageJsonPath, version)
 }
 
 function lsRecursive(dir: string): string[] {

@@ -121,17 +121,19 @@ export function getReleaseTypeFromSemVer(version: SemVer): string | number {
 
 export function replacePackageVersionAndMakePublic(
   packageJsonPath: string,
+  version?: string,
   onDone?: (json: JSON) => void
 ) {
   const json: JSON = JSON.parse(fs.readFileSync(packageJsonPath).toString())
 
-  if (process.env.RELEASE_VERSION) {
-    console.info(`Replacing ${json.name as string} version with provided RELEASE_VERSION`)
+  const effectiveVersion = version ?? process.env.RELEASE_VERSION
+  if (effectiveVersion) {
+    console.info(`Replacing ${json.name as string} version with ${effectiveVersion}`)
 
-    json.version = process.env.RELEASE_VERSION
+    json.version = effectiveVersion
     json.private = false
   } else {
-    console.info('No RELEASE_VERSION provided')
+    console.info('No version provided')
   }
 
   if (onDone !== undefined) {