(chore): change browser example to query from the CDN drop in by default #262
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish JS Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| commit_sha: | |
| description: "Commit SHA to publish as dev release (leave empty for HEAD)" | |
| required: false | |
| type: string | |
| pull_request: | |
| types: [closed] | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| prepare: | |
| # Dev releases (workflow_dispatch) are only allowed from main | |
| if: >- | |
| github.event_name == 'pull_request' || | |
| (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') | |
| runs-on: | |
| group: arc-public-large-amd64-runner | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| server_version: ${{ steps.version.outputs.server_version }} | |
| npm_tag: ${{ steps.config.outputs.npm_tag }} | |
| ref: ${{ steps.config.outputs.ref }} | |
| should_publish: ${{ steps.config.outputs.should_publish }} | |
| steps: | |
| - name: Determine release type | |
| id: config | |
| # Use env vars to avoid script injection via github context interpolation | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| INPUT_COMMIT_SHA: ${{ inputs.commit_sha }} | |
| GITHUB_SHA: ${{ github.sha }} | |
| PR_MERGED: ${{ github.event.pull_request.merged }} | |
| PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }} | |
| PR_BODY: ${{ github.event.pull_request.body }} | |
| run: | | |
| if [ "$EVENT_NAME" = "workflow_dispatch" ]; then | |
| echo "npm_tag=dev" >> $GITHUB_OUTPUT | |
| echo "should_publish=true" >> $GITHUB_OUTPUT | |
| echo "ref=${INPUT_COMMIT_SHA:-$GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| elif [ "$PR_MERGED" = "true" ] && \ | |
| echo "$PR_LABELS" | grep -q '"release"' && \ | |
| echo "$PR_BODY" | grep -q "<!-- release_target:js-core -->"; then | |
| echo "npm_tag=latest" >> $GITHUB_OUTPUT | |
| echo "should_publish=true" >> $GITHUB_OUTPUT | |
| echo "ref=$GITHUB_SHA" >> $GITHUB_OUTPUT | |
| else | |
| echo "should_publish=false" >> $GITHUB_OUTPUT | |
| fi | |
| - uses: actions/checkout@v6 | |
| if: steps.config.outputs.should_publish == 'true' | |
| with: | |
| ref: ${{ steps.config.outputs.ref }} | |
| fetch-depth: 0 | |
| - name: Validate commit exists on main | |
| if: steps.config.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch' | |
| env: | |
| TARGET_REF: ${{ steps.config.outputs.ref }} | |
| run: | | |
| git fetch origin main | |
| if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then | |
| echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code." | |
| exit 1 | |
| fi | |
| - name: Generate version | |
| if: steps.config.outputs.should_publish == 'true' | |
| id: version | |
| run: | | |
| # Get base version from package.json | |
| BASE_VERSION=$(node -p "require('./js/packages/core/package.json').version") | |
| SERVER_VERSION=$(node -p "require('./js/packages/server/package.json').version") | |
| if [ -z "$BASE_VERSION" ] || [ -z "$SERVER_VERSION" ]; then | |
| echo "Error: Failed to resolve core/server versions from package manifests" | |
| exit 1 | |
| fi | |
| if [ "${{ steps.config.outputs.npm_tag }}" = "dev" ]; then | |
| # Strip any existing pre-release suffix to get clean base | |
| BASE_VERSION=$(echo "$BASE_VERSION" | sed 's/-.*$//') | |
| # Get short SHA | |
| SHORT_SHA=$(git rev-parse --short HEAD) | |
| VERSION="${BASE_VERSION}-dev.${SHORT_SHA}" | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "Dev version: $VERSION" | |
| else | |
| echo "version=$BASE_VERSION" >> $GITHUB_OUTPUT | |
| echo "Production version: $BASE_VERSION" | |
| fi | |
| echo "server_version=$SERVER_VERSION" >> $GITHUB_OUTPUT | |
| - name: Validate version against npm | |
| if: steps.config.outputs.should_publish == 'true' && steps.config.outputs.npm_tag == 'latest' | |
| run: | | |
| NEW_VERSION="${{ steps.version.outputs.version }}" | |
| # Check npm for latest version | |
| LATEST_RELEASE=$(npm view @worldcoin/idkit-core version 2>/dev/null || echo "0.0.0") | |
| echo "Latest release on npm: $LATEST_RELEASE" | |
| echo "New version: $NEW_VERSION" | |
| # Ensure the new version is greater than the latest published version | |
| if [ "$LATEST_RELEASE" != "0.0.0" ]; then | |
| if ! { [ "$(printf '%s\n' "$LATEST_RELEASE" "$NEW_VERSION" | sort -V | tail -n1)" = "$NEW_VERSION" ] && \ | |
| [ "$NEW_VERSION" != "$LATEST_RELEASE" ]; }; then | |
| echo "Error: New version ($NEW_VERSION) is not greater than latest release ($LATEST_RELEASE)" | |
| exit 1 | |
| fi | |
| fi | |
| echo "Version check passed: $NEW_VERSION > $LATEST_RELEASE" | |
| - name: Validate server dependency exists on npm (production only) | |
| if: steps.config.outputs.should_publish == 'true' && steps.config.outputs.npm_tag == 'latest' | |
| env: | |
| SERVER_VERSION: ${{ steps.version.outputs.server_version }} | |
| run: | | |
| if ! npm view "@worldcoin/idkit-server@$SERVER_VERSION" version >/dev/null 2>&1; then | |
| echo "Error: Required dependency @worldcoin/idkit-server@$SERVER_VERSION is not published on npm" | |
| exit 1 | |
| fi | |
| echo "Server dependency check passed: @worldcoin/idkit-server@$SERVER_VERSION" | |
| publish: | |
| needs: prepare | |
| if: needs.prepare.outputs.should_publish == 'true' | |
| # Use github hosted runners for OIDC/Provenance support | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.prepare.outputs.ref }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 9 | |
| - name: Update npm for OIDC trusted publishing | |
| run: | | |
| # npm trusted publishing requires npm >= 11.5.1 | |
| echo "Current npm version: $(npm --version)" | |
| npm install -g npm@latest | |
| NPM_VER=$(npm --version) | |
| echo "Updated npm version: $NPM_VER" | |
| REQUIRED="11.5.1" | |
| if [ "$(printf '%s\n' "$REQUIRED" "$NPM_VER" | sort -V | head -n1)" != "$REQUIRED" ]; then | |
| echo "::error::npm >= $REQUIRED is required for OIDC trusted publishing, got $NPM_VER" | |
| exit 1 | |
| fi | |
| - name: Read rust-toolchain | |
| id: rust-version | |
| run: echo "toolchain=$(yq '.toolchain.channel' rust-toolchain.toml)" >> $GITHUB_OUTPUT | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: ${{ steps.rust-version.outputs.toolchain }} | |
| - name: Install wasm-pack | |
| run: cargo install wasm-pack --locked | |
| - name: Set package version | |
| working-directory: js/packages/core | |
| env: | |
| PKG_VERSION: ${{ needs.prepare.outputs.version }} | |
| run: | | |
| npm version "$PKG_VERSION" --no-git-tag-version --allow-same-version | |
| echo "Package version set to: $PKG_VERSION" | |
| - name: Install dependencies | |
| working-directory: js | |
| run: pnpm install | |
| - name: Build packages | |
| working-directory: js | |
| run: pnpm -r build | |
| - name: Rewrite server dependency to published version | |
| working-directory: js/packages/core | |
| env: | |
| SERVER_VERSION: ${{ needs.prepare.outputs.server_version }} | |
| run: | | |
| node -e " | |
| const fs = require('fs'); | |
| const pkgPath = 'package.json'; | |
| const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); | |
| pkg.dependencies = pkg.dependencies || {}; | |
| pkg.dependencies['@worldcoin/idkit-server'] = process.env.SERVER_VERSION; | |
| fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n'); | |
| " | |
| echo "Updated @worldcoin/idkit-server dependency to ${SERVER_VERSION}" | |
| - name: Verify packaged manifest does not contain workspace protocol | |
| working-directory: js/packages/core | |
| env: | |
| SERVER_VERSION: ${{ needs.prepare.outputs.server_version }} | |
| NPM_TAG: ${{ needs.prepare.outputs.npm_tag }} | |
| run: | | |
| PACK_OUTPUT=$(npm pack --pack-destination /tmp --json) | |
| TARBALL=$(echo "$PACK_OUTPUT" | jq -r '.[0].filename') | |
| PACKAGE_JSON=$(tar -xOf "/tmp/$TARBALL" package/package.json) | |
| if echo "$PACKAGE_JSON" | jq -e '.dependencies["@worldcoin/idkit-server"] == "workspace:*"' >/dev/null; then | |
| echo "Error: packaged dependency still uses workspace:*" | |
| exit 1 | |
| fi | |
| if ! echo "$PACKAGE_JSON" | jq -e --arg server "$SERVER_VERSION" '.dependencies["@worldcoin/idkit-server"] == $server' >/dev/null; then | |
| echo "Error: packaged dependency does not match expected server version $SERVER_VERSION" | |
| exit 1 | |
| fi | |
| if [ "$NPM_TAG" = "latest" ]; then | |
| TMP_DIR=$(mktemp -d) | |
| cd "$TMP_DIR" | |
| npm init -y >/dev/null 2>&1 | |
| npm install "/tmp/$TARBALL" --ignore-scripts --no-audit --no-fund | |
| echo "Tarball install check passed for production release" | |
| fi | |
| - name: Publish @worldcoin/idkit-core | |
| working-directory: js/packages/core | |
| env: | |
| PKG_VERSION: ${{ needs.prepare.outputs.version }} | |
| NPM_TAG: ${{ needs.prepare.outputs.npm_tag }} | |
| run: | | |
| echo "Publishing @worldcoin/idkit-core@$PKG_VERSION with tag '$NPM_TAG'" | |
| npm publish --access public --provenance --tag "$NPM_TAG" |