ci(release): auto-generate release notes + registry qualifier in publish workflows #68
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: mirror-ci (parity + publishability) | |
| # Mirror-specific CI for the @nemtus/symbol-sdk republish mirror. Source is identical | |
| # to upstream symbol/symbol, so this validates that each sync PR (mirror-sync.yml) and | |
| # each push to dev still: (1) has the rename layer cleanly applied, (2) lints, (3) tests, | |
| # (4) builds the exact artifacts publish.yml will publish, and (5) passes the crypto / | |
| # catbuffer vectors. Catches sync/merge/rename breakage BEFORE merge and publish. | |
| # | |
| # Supply-chain hardening: every `npm ci` runs under Socket Firewall (`sfw`, free, no | |
| # account), installed via Socket's SHA-pinned action (kept current by Dependabot), so a | |
| # confirmed-malicious dependency pulled in by an upstream sync fails the install — and | |
| # thus the job — before it can build or be published. Pairs with the Socket GitHub App | |
| # (PR-time scanning) and the required-status-check on dev. | |
| # | |
| # NOTE: this workflow is kept by apply-nemtus-patch.sh's nemtus_workflows allow-list, so | |
| # mirror-sync does not strip it. The :jenkins script variants (JUnit/lcov for upstream's | |
| # Jenkinsfile), bundle:clean (local cleanup) and generate-docs (typedoc, not in npm | |
| # "files") are intentionally not run here. | |
| on: | |
| pull_request: {} | |
| push: | |
| branches: [dev] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: mirror-ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Mirror-specific: re-running the idempotent rename patch must produce NO diff. | |
| # This proves name=@nemtus/symbol-sdk, metadata, README notice, and the workflow | |
| # strip are all intact, and (via the conflict-marker grep) that no merge markers leaked. | |
| verify-rename-layer: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| - name: Re-apply rename layer and assert no drift | |
| run: | | |
| bash .github/scripts/apply-nemtus-patch.sh | |
| if ! git diff --exit-code; then | |
| echo "::error::Rename layer drift - apply-nemtus-patch.sh produced changes." >&2 | |
| exit 1 | |
| fi | |
| - name: Assert no merge conflict markers | |
| run: | | |
| if git grep -nE '^(<{7}|={7}|>{7})( |$)' -- .; then | |
| echo "::error::Merge conflict markers found." >&2 | |
| exit 1 | |
| fi | |
| lint: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./sdk/javascript | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm run lint | |
| test: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./sdk/javascript | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm test | |
| # Same build publish.yml performs, so a broken publishable build fails here at PR time. | |
| build: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./sdk/javascript | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm run bundle # dist/* (webpack + wasm-pack) | |
| - run: npx tsc -p ./tsconfig/build-bindings.json # ts/src/* declarations | |
| # Build-parity for the crypto-wasm publish path (crypto-wasm-publish.yml): a synced | |
| # crate that fails to wasm-pack-build for any of the three targets must fail HERE, at | |
| # PR time, before the publish workflow tries to build and publish it. Build-only — no | |
| # publish, so the version is a throwaway placeholder. rustup is preinstalled on the | |
| # runner; pin rustc 1.86.0 to match sdk/javascript/scripts/ci/build.sh. | |
| crypto-wasm-build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| - name: Install pinned Rust toolchain | |
| run: | | |
| rustup toolchain install 1.86.0 --profile minimal | |
| rustup default 1.86.0 | |
| rustup target add wasm32-unknown-unknown | |
| rustc --version | |
| - name: Install wasm-pack | |
| run: cargo install wasm-pack --locked --version 0.13.1 | |
| - name: Build all three variants (web / bundler / node) | |
| run: | | |
| for v in web bundler node; do | |
| bash .github/scripts/build-crypto-wasm.sh "$v" 0.0.0-ci "./_build/wasm/${v}_pkg" | |
| done | |
| vectors: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| blockchain: [nem, symbol] | |
| defaults: | |
| run: | |
| working-directory: ./sdk/javascript | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm run vectors | |
| env: | |
| BLOCKCHAIN: ${{ matrix.blockchain }} | |
| catvectors: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./sdk/javascript | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm run catvectors | |
| env: | |
| SCHEMAS_PATH: ${{ github.workspace }}/tests/vectors | |
| # OpenAPI parity/build gate: the spec must still lint and bundle cleanly, so a | |
| # broken sync never reaches openapi-publish.yml. We lint the source spec, bundle | |
| # it (the exact artifacts the publish flow ships), and lint the bundle. We do NOT | |
| # run `verify-links` here — it fetches external URLs and would make the gate flaky. | |
| openapi: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./openapi | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| # Socket Firewall: Free (no account/API key) via Socket's official SHA-pinned | |
| # action (pinact-enforced, Dependabot-updatable). `sfw` then wraps the install so | |
| # confirmed-malicious packages fail before they're fetched — a hard supply-chain gate. | |
| - uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - run: sfw npm ci | |
| - run: npm run lint # redocly lint of the source spec | |
| - run: npm run build # bundle -> _build/openapi3.yml/json + postman.json | |
| - run: npm run lint:openapi:build # redocly lint of the bundled output |