Skip to content

Commit 7d2351f

Browse files
dzhelezovclaude
andcommitted
ci: release workflow — npm Trusted Publishing (OIDC), no token
Wire automated releases via .github/workflows/release.yml: workflow_dispatch (enter the ponder version) or push tag v<version>. Applies the Portal layer to ponder@<version>, builds, runs the Portal tests, and publishes @subsquid/ponder@<version>. Auth uses npm **Trusted Publishing via OIDC** (id-token: write) — no NPM_TOKEN, per npm's move away from long-lived CI tokens. Guards that the version is declared in versions.json. Repo is private for now so provenance is off; add --provenance when public. One-time npm trusted-publisher setup documented in PUBLISHING.md. Remote updated to subsquid/portal-ponder (org transfer). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 1790bf2 commit 7d2351f

2 files changed

Lines changed: 79 additions & 6 deletions

File tree

.github/workflows/release.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
name: release
2+
3+
# Publish @subsquid/ponder@<version> = ponder@<version> + the Portal layer.
4+
# Trigger: manually (Actions → release → Run workflow → enter the ponder version), or push a
5+
# tag `v<version>` (e.g. v0.16.6). Auth is npm **Trusted Publishing via OIDC** — no NPM_TOKEN.
6+
on:
7+
workflow_dispatch:
8+
inputs:
9+
version:
10+
description: "ponder version to publish as @subsquid/ponder@<version> (e.g. 0.16.6). Must have portal/wiring/<version>.patch + a versions.json row."
11+
required: true
12+
push:
13+
tags: ["v*.*.*"]
14+
15+
permissions:
16+
contents: read
17+
id-token: write # OIDC token for npm Trusted Publishing (replaces NPM_TOKEN)
18+
19+
concurrency:
20+
group: release-${{ github.event.inputs.version || github.ref_name }}
21+
cancel-in-progress: false
22+
23+
jobs:
24+
publish:
25+
runs-on: ubuntu-latest
26+
steps:
27+
- uses: actions/checkout@v4
28+
- uses: actions/setup-node@v4
29+
with:
30+
node-version: 22
31+
registry-url: "https://registry.npmjs.org"
32+
- run: corepack enable
33+
# npm Trusted Publishing (OIDC) requires npm >= 11.5.1; node 22 ships an older npm.
34+
- run: npm install -g npm@latest && npm --version
35+
36+
- name: Resolve version (workflow input or v<version> tag)
37+
id: v
38+
run: |
39+
V="${{ github.event.inputs.version }}"
40+
[ -z "$V" ] && V="${GITHUB_REF_NAME#v}"
41+
echo "version=$V" >> "$GITHUB_OUTPUT"
42+
echo "→ publishing @subsquid/ponder@$V"
43+
44+
- name: Guard — version must be declared in versions.json
45+
run: |
46+
node -e "const v='${{ steps.v.outputs.version }}'; const j=require('./versions.json'); if(!j.versions.some(r=>r.ponder===v)){console.error('✗ '+v+' not in versions.json — add a row + portal/wiring/'+v+'.patch first (PUBLISHING.md)');process.exit(1)} console.log('✓ '+v+' declared')"
47+
48+
- name: Build + test the fork (apply Portal layer to ponder@<version>)
49+
run: bash scripts/sync-upstream.sh "${{ steps.v.outputs.version }}" --test
50+
env:
51+
SYNC_WORKDIR: ${{ runner.temp }}/fork
52+
53+
- name: Publish to npm (Trusted Publishing via OIDC — no token)
54+
working-directory: ${{ runner.temp }}/fork/${{ steps.v.outputs.version }}/packages/core
55+
# When this repo is PUBLIC, append `--provenance` for a signed provenance attestation.
56+
run: npm publish --access public

PUBLISHING.md

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,16 +18,33 @@ field per chain that routes the historical backfill through SQD Portal (realtime
1818
`compat.tested` list the CI matrix proves the seam against. We publish a fork release **only for ponder
1919
versions a client needs** (the economy), but we *know* which past/future versions hold (the awareness).
2020

21-
## Cut a release for an existing version
21+
## Releasing — automated (npm Trusted Publishing via OIDC, no token)
22+
23+
Releases run through [`.github/workflows/release.yml`](.github/workflows/release.yml) and
24+
authenticate to npm with **OIDC Trusted Publishing** — no `NPM_TOKEN` (npm deprecated long-lived
25+
tokens for CI in favour of the GitHub integration). The job applies the Portal layer to
26+
`ponder@<version>`, builds, runs the Portal tests, then publishes.
27+
28+
**One-time setup** (a maintainer with publish rights on the `@subsquid` scope):
29+
30+
1. On npmjs.com → `@subsquid/ponder`*Settings → Trusted Publisher → GitHub Actions*, pointing at
31+
repo `subsquid/portal-ponder`, workflow `release.yml`.
32+
- *Brand-new package:* if npm requires the package to exist before you can add a trusted publisher,
33+
seed it with one manual publish (below), then configure the trusted publisher — every release
34+
after that is tokenless.
35+
2. *(When the repo is public)* add `--provenance` to the publish step for a signed provenance attestation.
36+
37+
**Cut a release:** Actions → **release***Run workflow* → enter the ponder version (e.g. `0.16.6`),
38+
or push a tag `v0.16.6`. The workflow guards that the version is in `versions.json`, builds + tests, and
39+
publishes `@subsquid/ponder@<version>`. Then flip that row's `status``published` in `versions.json`.
40+
41+
**Manual / local** (to seed the first publish, or as a fallback):
2242

2343
```bash
24-
scripts/sync-upstream.sh 0.16.6 --test # clone + apply layer + build + run Portal tests
25-
cd /tmp/sqd-ponder-fork/0.16.6/packages/core
26-
npm publish --access public # publishes @subsquid/ponder@0.16.6
44+
scripts/sync-upstream.sh 0.16.6 --test # clone + apply layer + build + test
45+
cd "$SYNC_WORKDIR/0.16.6/packages/core" && npm publish --access public # uses your local npm login
2746
```
2847

29-
Then flip that row's `status``published` in `versions.json` and commit.
30-
3148
## Add a new ponder version
3249

3350
1. **Author the wiring patch.** The seam (`syncBlockRangeData`/`syncBlockData`) is stable, but the 4

0 commit comments

Comments
 (0)