ci: Add npm publish step to gnd binary build workflow#6460
Open
ci: Add npm publish step to gnd binary build workflow#6460
Conversation
Publish @graphprotocol/gnd-* platform packages to npm automatically after uploading release assets. Adds a dry_run input for testing.
macos-13 runners are no longer available. Use macos-14 (ARM) and cross-compile for x86_64 since the target is already explicit.
Fix Windows build failure caused by anstream 0.6.14 conflicting with anstyle-wincon 3.0.11. The clap update pulls anstream 1.0.0 which is compatible.
- actions/checkout v4 -> v6 - actions/upload-artifact v4 -> v7 - actions/download-artifact v4 -> v8 - actions/setup-node v4 -> v6 - node-version 20 -> 22
Add a wrapper package that installs the correct platform-specific gnd binary via optionalDependencies. This enables `npm install -g @graphprotocol/gnd` and `npx @graphprotocol/gnd`. The workflow now has a publish-npm-wrapper job that runs after the platform packages are published.
Remove NODE_AUTH_TOKEN; OIDC identity from id-token: write is sufficient with trusted publishing configured on npmjs.
Cache the final compressed artifacts keyed on a hash of Cargo.lock, all Cargo.toml files, and all .rs files. On cache hit, the entire build pipeline (toolchain, dependencies, compilation, signing, notarization, packaging) is skipped.
The setup-node action with registry-url creates an .npmrc that sets NODE_AUTH_TOKEN to the GitHub token, which overrides npm's OIDC trusted publishing flow. Removing registry-url lets npm handle authentication via OIDC directly.
Allows workflow re-runs to replace existing assets instead of failing when an asset with the same name already exists.
setup-node's registry-url option writes an _authToken=${NODE_AUTH_TOKEN}
line into .npmrc. Without NODE_AUTH_TOKEN set, this resolves to an empty
token that takes precedence over OIDC auth, causing a 404 on publish.
Use npm config set instead to configure the registry without injecting
the auth token line, allowing npm --provenance to use OIDC directly.
Node 22 ships npm v10 whose OIDC handshake protocol is not accepted by the npm registry for trusted publishing, causing misleading 404 errors. Node 24 ships npm >= 11.5.1 which has the working OIDC trusted publishing support. Also remove the unnecessary manual registry configuration step.
npm 11+ requires an explicit --tag when publishing prerelease versions. Extract the prerelease identifier from the version (e.g. "dev" from "0.42.2-dev.1") and pass it as the npm dist-tag. Stable versions use "latest".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Publish @graphprotocol/gnd-* platform packages to npm automatically after uploading release assets. Adds a dry_run input for testing.
This is needed so that
graph-clican use standardpackage.jsonmechanisms to downloadgnd(using optional dependencies gated on the platform)This also addresses a few other issues that made the
gnd-binary-buildaction fail