Skip to content

ci(release): auto-generate release notes + registry qualifier in publish workflows #68

ci(release): auto-generate release notes + registry qualifier in publish workflows

ci(release): auto-generate release notes + registry qualifier in publish workflows #68

Workflow file for this run

name: mirror-ci (parity + publishability)
# Mirror-specific CI for the @nemtus/symbol-sdk republish mirror. Source is identical
# to upstream symbol/symbol, so this validates that each sync PR (mirror-sync.yml) and
# each push to dev still: (1) has the rename layer cleanly applied, (2) lints, (3) tests,
# (4) builds the exact artifacts publish.yml will publish, and (5) passes the crypto /
# catbuffer vectors. Catches sync/merge/rename breakage BEFORE merge and publish.
#
# Supply-chain hardening: every `npm ci` runs under Socket Firewall (`sfw`, free, no
# account), installed via Socket's SHA-pinned action (kept current by Dependabot), so a
# confirmed-malicious dependency pulled in by an upstream sync fails the install — and
# thus the job — before it can build or be published. Pairs with the Socket GitHub App
# (PR-time scanning) and the required-status-check on dev.
#
# NOTE: this workflow is kept by apply-nemtus-patch.sh's nemtus_workflows allow-list, so
# mirror-sync does not strip it. The :jenkins script variants (JUnit/lcov for upstream's
# Jenkinsfile), bundle:clean (local cleanup) and generate-docs (typedoc, not in npm
# "files") are intentionally not run here.
on:
pull_request: {}
push:
branches: [dev]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: mirror-ci-${{ github.ref }}
cancel-in-progress: true
jobs:
# Mirror-specific: re-running the idempotent rename patch must produce NO diff.
# This proves name=@nemtus/symbol-sdk, metadata, README notice, and the workflow
# strip are all intact, and (via the conflict-marker grep) that no merge markers leaked.
verify-rename-layer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
- name: Re-apply rename layer and assert no drift
run: |
bash .github/scripts/apply-nemtus-patch.sh
if ! git diff --exit-code; then
echo "::error::Rename layer drift - apply-nemtus-patch.sh produced changes." >&2
exit 1
fi
- name: Assert no merge conflict markers
run: |
if git grep -nE '^(<{7}|={7}|>{7})( |$)' -- .; then
echo "::error::Merge conflict markers found." >&2
exit 1
fi
lint:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./sdk/javascript
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm run lint
test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./sdk/javascript
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm test
# Same build publish.yml performs, so a broken publishable build fails here at PR time.
build:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./sdk/javascript
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm run bundle # dist/* (webpack + wasm-pack)
- run: npx tsc -p ./tsconfig/build-bindings.json # ts/src/* declarations
# Build-parity for the crypto-wasm publish path (crypto-wasm-publish.yml): a synced
# crate that fails to wasm-pack-build for any of the three targets must fail HERE, at
# PR time, before the publish workflow tries to build and publish it. Build-only — no
# publish, so the version is a throwaway placeholder. rustup is preinstalled on the
# runner; pin rustc 1.86.0 to match sdk/javascript/scripts/ci/build.sh.
crypto-wasm-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
- name: Install pinned Rust toolchain
run: |
rustup toolchain install 1.86.0 --profile minimal
rustup default 1.86.0
rustup target add wasm32-unknown-unknown
rustc --version
- name: Install wasm-pack
run: cargo install wasm-pack --locked --version 0.13.1
- name: Build all three variants (web / bundler / node)
run: |
for v in web bundler node; do
bash .github/scripts/build-crypto-wasm.sh "$v" 0.0.0-ci "./_build/wasm/${v}_pkg"
done
vectors:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
blockchain: [nem, symbol]
defaults:
run:
working-directory: ./sdk/javascript
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm run vectors
env:
BLOCKCHAIN: ${{ matrix.blockchain }}
catvectors:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./sdk/javascript
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm run catvectors
env:
SCHEMAS_PATH: ${{ github.workspace }}/tests/vectors
# OpenAPI parity/build gate: the spec must still lint and bundle cleanly, so a
# broken sync never reaches openapi-publish.yml. We lint the source spec, bundle
# it (the exact artifacts the publish flow ships), and lint the bundle. We do NOT
# run `verify-links` here — it fetches external URLs and would make the gate flaky.
openapi:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./openapi
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.x
# Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned
# action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so
# confirmed-malicious packages fail before they're fetched — a hard supply-chain gate.
- uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw npm ci
- run: npm run lint # redocly lint of the source spec
- run: npm run build # bundle -> _build/openapi3.yml/json + postman.json
- run: npm run lint:openapi:build # redocly lint of the bundled output