Skip to content

(chore): change browser example to query from the CDN drop in by default #262

(chore): change browser example to query from the CDN drop in by default

(chore): change browser example to query from the CDN drop in by default #262

Workflow file for this run

name: Publish JS Release
on:
workflow_dispatch:
inputs:
commit_sha:
description: "Commit SHA to publish as dev release (leave empty for HEAD)"
required: false
type: string
pull_request:
types: [closed]
branches:
- main
permissions:
contents: read
id-token: write
jobs:
prepare:
# Dev releases (workflow_dispatch) are only allowed from main
if: >-
github.event_name == 'pull_request' ||
(github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
runs-on:
group: arc-public-large-amd64-runner
outputs:
version: ${{ steps.version.outputs.version }}
server_version: ${{ steps.version.outputs.server_version }}
npm_tag: ${{ steps.config.outputs.npm_tag }}
ref: ${{ steps.config.outputs.ref }}
should_publish: ${{ steps.config.outputs.should_publish }}
steps:
- name: Determine release type
id: config
# Use env vars to avoid script injection via github context interpolation
env:
EVENT_NAME: ${{ github.event_name }}
INPUT_COMMIT_SHA: ${{ inputs.commit_sha }}
GITHUB_SHA: ${{ github.sha }}
PR_MERGED: ${{ github.event.pull_request.merged }}
PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
PR_BODY: ${{ github.event.pull_request.body }}
run: |
if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
echo "npm_tag=dev" >> $GITHUB_OUTPUT
echo "should_publish=true" >> $GITHUB_OUTPUT
echo "ref=${INPUT_COMMIT_SHA:-$GITHUB_SHA}" >> $GITHUB_OUTPUT
elif [ "$PR_MERGED" = "true" ] && \
echo "$PR_LABELS" | grep -q '"release"' && \
echo "$PR_BODY" | grep -q "<!-- release_target:js-core -->"; then
echo "npm_tag=latest" >> $GITHUB_OUTPUT
echo "should_publish=true" >> $GITHUB_OUTPUT
echo "ref=$GITHUB_SHA" >> $GITHUB_OUTPUT
else
echo "should_publish=false" >> $GITHUB_OUTPUT
fi
- uses: actions/checkout@v6
if: steps.config.outputs.should_publish == 'true'
with:
ref: ${{ steps.config.outputs.ref }}
fetch-depth: 0
- name: Validate commit exists on main
if: steps.config.outputs.should_publish == 'true' && github.event_name == 'workflow_dispatch'
env:
TARGET_REF: ${{ steps.config.outputs.ref }}
run: |
git fetch origin main
if ! git merge-base --is-ancestor "$TARGET_REF" origin/main; then
echo "::error::Commit $TARGET_REF is not on the main branch. Dev releases can only be published from merged code."
exit 1
fi
- name: Generate version
if: steps.config.outputs.should_publish == 'true'
id: version
run: |
# Get base version from package.json
BASE_VERSION=$(node -p "require('./js/packages/core/package.json').version")
SERVER_VERSION=$(node -p "require('./js/packages/server/package.json').version")
if [ -z "$BASE_VERSION" ] || [ -z "$SERVER_VERSION" ]; then
echo "Error: Failed to resolve core/server versions from package manifests"
exit 1
fi
if [ "${{ steps.config.outputs.npm_tag }}" = "dev" ]; then
# Strip any existing pre-release suffix to get clean base
BASE_VERSION=$(echo "$BASE_VERSION" | sed 's/-.*$//')
# Get short SHA
SHORT_SHA=$(git rev-parse --short HEAD)
VERSION="${BASE_VERSION}-dev.${SHORT_SHA}"
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Dev version: $VERSION"
else
echo "version=$BASE_VERSION" >> $GITHUB_OUTPUT
echo "Production version: $BASE_VERSION"
fi
echo "server_version=$SERVER_VERSION" >> $GITHUB_OUTPUT
- name: Validate version against npm
if: steps.config.outputs.should_publish == 'true' && steps.config.outputs.npm_tag == 'latest'
run: |
NEW_VERSION="${{ steps.version.outputs.version }}"
# Check npm for latest version
LATEST_RELEASE=$(npm view @worldcoin/idkit-core version 2>/dev/null || echo "0.0.0")
echo "Latest release on npm: $LATEST_RELEASE"
echo "New version: $NEW_VERSION"
# Ensure the new version is greater than the latest published version
if [ "$LATEST_RELEASE" != "0.0.0" ]; then
if ! { [ "$(printf '%s\n' "$LATEST_RELEASE" "$NEW_VERSION" | sort -V | tail -n1)" = "$NEW_VERSION" ] && \
[ "$NEW_VERSION" != "$LATEST_RELEASE" ]; }; then
echo "Error: New version ($NEW_VERSION) is not greater than latest release ($LATEST_RELEASE)"
exit 1
fi
fi
echo "Version check passed: $NEW_VERSION > $LATEST_RELEASE"
- name: Validate server dependency exists on npm (production only)
if: steps.config.outputs.should_publish == 'true' && steps.config.outputs.npm_tag == 'latest'
env:
SERVER_VERSION: ${{ steps.version.outputs.server_version }}
run: |
if ! npm view "@worldcoin/idkit-server@$SERVER_VERSION" version >/dev/null 2>&1; then
echo "Error: Required dependency @worldcoin/idkit-server@$SERVER_VERSION is not published on npm"
exit 1
fi
echo "Server dependency check passed: @worldcoin/idkit-server@$SERVER_VERSION"
publish:
needs: prepare
if: needs.prepare.outputs.should_publish == 'true'
# Use github hosted runners for OIDC/Provenance support
runs-on: ubuntu-latest
environment: production
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v6
with:
ref: ${{ needs.prepare.outputs.ref }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "24"
registry-url: "https://registry.npmjs.org"
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 9
- name: Update npm for OIDC trusted publishing
run: |
# npm trusted publishing requires npm >= 11.5.1
echo "Current npm version: $(npm --version)"
npm install -g npm@latest
NPM_VER=$(npm --version)
echo "Updated npm version: $NPM_VER"
REQUIRED="11.5.1"
if [ "$(printf '%s\n' "$REQUIRED" "$NPM_VER" | sort -V | head -n1)" != "$REQUIRED" ]; then
echo "::error::npm >= $REQUIRED is required for OIDC trusted publishing, got $NPM_VER"
exit 1
fi
- name: Read rust-toolchain
id: rust-version
run: echo "toolchain=$(yq '.toolchain.channel' rust-toolchain.toml)" >> $GITHUB_OUTPUT
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ steps.rust-version.outputs.toolchain }}
- name: Install wasm-pack
run: cargo install wasm-pack --locked
- name: Set package version
working-directory: js/packages/core
env:
PKG_VERSION: ${{ needs.prepare.outputs.version }}
run: |
npm version "$PKG_VERSION" --no-git-tag-version --allow-same-version
echo "Package version set to: $PKG_VERSION"
- name: Install dependencies
working-directory: js
run: pnpm install
- name: Build packages
working-directory: js
run: pnpm -r build
- name: Rewrite server dependency to published version
working-directory: js/packages/core
env:
SERVER_VERSION: ${{ needs.prepare.outputs.server_version }}
run: |
node -e "
const fs = require('fs');
const pkgPath = 'package.json';
const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
pkg.dependencies = pkg.dependencies || {};
pkg.dependencies['@worldcoin/idkit-server'] = process.env.SERVER_VERSION;
fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
"
echo "Updated @worldcoin/idkit-server dependency to ${SERVER_VERSION}"
- name: Verify packaged manifest does not contain workspace protocol
working-directory: js/packages/core
env:
SERVER_VERSION: ${{ needs.prepare.outputs.server_version }}
NPM_TAG: ${{ needs.prepare.outputs.npm_tag }}
run: |
PACK_OUTPUT=$(npm pack --pack-destination /tmp --json)
TARBALL=$(echo "$PACK_OUTPUT" | jq -r '.[0].filename')
PACKAGE_JSON=$(tar -xOf "/tmp/$TARBALL" package/package.json)
if echo "$PACKAGE_JSON" | jq -e '.dependencies["@worldcoin/idkit-server"] == "workspace:*"' >/dev/null; then
echo "Error: packaged dependency still uses workspace:*"
exit 1
fi
if ! echo "$PACKAGE_JSON" | jq -e --arg server "$SERVER_VERSION" '.dependencies["@worldcoin/idkit-server"] == $server' >/dev/null; then
echo "Error: packaged dependency does not match expected server version $SERVER_VERSION"
exit 1
fi
if [ "$NPM_TAG" = "latest" ]; then
TMP_DIR=$(mktemp -d)
cd "$TMP_DIR"
npm init -y >/dev/null 2>&1
npm install "/tmp/$TARBALL" --ignore-scripts --no-audit --no-fund
echo "Tarball install check passed for production release"
fi
- name: Publish @worldcoin/idkit-core
working-directory: js/packages/core
env:
PKG_VERSION: ${{ needs.prepare.outputs.version }}
NPM_TAG: ${{ needs.prepare.outputs.npm_tag }}
run: |
echo "Publishing @worldcoin/idkit-core@$PKG_VERSION with tag '$NPM_TAG'"
npm publish --access public --provenance --tag "$NPM_TAG"