feat(ci): Add Release Pipeline (NPM)#13
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| github-app-token: | ||
| description: "GitHub App token for private git deps" | ||
| required: false | ||
| default: "" |
There was a problem hiding this comment.
You should not need this if all outputs are public.
| BULLET_APP_TOKEN: ${{ inputs.github-app-token }} | ||
| run: | | ||
| git config --global --add url."https://x-access-token:${BULLET_APP_TOKEN}@github.com/".insteadOf "ssh://git@github.com/" | ||
| git config --global --add url."https://x-access-token:${BULLET_APP_TOKEN}@github.com/".insteadOf "git@github.com:" | ||
| git config --global --add url."https://x-access-token:${BULLET_APP_TOKEN}@github.com/".insteadOf "https://github.com/" | ||
|
|
There was a problem hiding this comment.
Which dependencies are needing these?
There was a problem hiding this comment.
None, good point, this was copied from the old js sdk
0xtristan
left a comment
0xtristan
left a comment
There was a problem hiding this comment.
Would address Bernhard and bugbot feedback
| @@ -2,6 +2,12 @@ | |||
| members = ["rust", "wasm"] | |||
| resolver = "2" | |||
There was a problem hiding this comment.
We can upgrade this to 3 now with latest rust versions (we just moved to rust 1.94)
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 8 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="justfile">
<violation number="1" location="justfile:197">
P1: The `&&` chain suppresses `set -e` error handling. If `cd wasm` or `npm version` fails, the script silently continues instead of aborting—risking a publish with a mismatched version. Use separate statements or a subshell to ensure failures are caught:
```bash
(cd wasm && npm version "$V" --no-git-tag-version --allow-same-version)
```</violation>
</file>
<file name=".github/workflows/npm-publish.yml">
<violation number="1" location=".github/workflows/npm-publish.yml:75">
P1: OIDC trusted publishing will fail with `actions/setup-node@v4`. When `registry-url` is set, v4 exports a placeholder `NODE_AUTH_TOKEN` (`XXXXX-XXXXX-XXXXX-XXXXX`) that takes precedence over OIDC token negotiation, causing `npm publish` to fail with a 404. This was fixed in `actions/setup-node@v6` (see [setup-node#1477](https://github.com/actions/setup-node/pull/1477)). Either upgrade to `actions/setup-node@v6` in the composite action, or set `NODE_AUTH_TOKEN: ""` in the environment of this publish step as a workaround.</violation>
<violation number="2" location=".github/workflows/npm-publish.yml:81">
P1: `Cargo.lock` is tracked but not included in `git add`. After `cargo set-version --workspace --bump` updates all crate versions, the lock file will be modified but left uncommitted, causing version mismatch between `Cargo.toml` files and `Cargo.lock` on the release branch.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| - name: Install cargo-edit | ||
| run: cargo binstall cargo-edit -y | ||
|
|
||
| - name: Bump + publish to npm |
There was a problem hiding this comment.
P1: OIDC trusted publishing will fail with actions/setup-node@v4. When registry-url is set, v4 exports a placeholder NODE_AUTH_TOKEN (XXXXX-XXXXX-XXXXX-XXXXX) that takes precedence over OIDC token negotiation, causing npm publish to fail with a 404. This was fixed in actions/setup-node@v6 (see setup-node#1477). Either upgrade to actions/setup-node@v6 in the composite action, or set NODE_AUTH_TOKEN: "" in the environment of this publish step as a workaround.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/npm-publish.yml, line 75:
<comment>OIDC trusted publishing will fail with `actions/setup-node@v4`. When `registry-url` is set, v4 exports a placeholder `NODE_AUTH_TOKEN` (`XXXXX-XXXXX-XXXXX-XXXXX`) that takes precedence over OIDC token negotiation, causing `npm publish` to fail with a 404. This was fixed in `actions/setup-node@v6` (see [setup-node#1477](https://github.com/actions/setup-node/pull/1477)). Either upgrade to `actions/setup-node@v6` in the composite action, or set `NODE_AUTH_TOKEN: ""` in the environment of this publish step as a workaround.</comment>
<file context>
@@ -0,0 +1,84 @@
+ - name: Install cargo-edit
+ run: cargo binstall cargo-edit -y
+
+ - name: Bump + publish to npm
+ run: just publish-wasm ${{ inputs.level }}
+
</file context>
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="wasm/package.json">
<violation number="1" location="wasm/package.json:24">
P2: The test script drops `--experimental-vm-modules`, but this package is configured to run Jest in ESM mode (`type: module` + `ts-jest` `useESM: true`). Re-add the flag so Jest can execute ESM tests reliably.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Fix all with cubic
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 059ac8f. Configure here.
| uses: Swatinem/rust-cache@v2 | ||
|
|
||
| - name: Install cargo-binstall | ||
| uses: cargo-bins/cargo-binstall@main |
There was a problem hiding this comment.
Unpinned third-party action in release publish pipeline
Medium Severity
cargo-bins/cargo-binstall@main references a mutable branch rather than a commit SHA, unlike the other actions in this pipeline (e.g., actions/checkout and actions/setup-node are SHA-pinned). Since this composite action is used in the npm-publish.yml workflow that has id-token: write permission and publishes to npm with provenance, a compromised main branch in the cargo-binstall repo could inject malicious code into the published package. At minimum, the version input available on this action could be set to pin the installed binary version.
Reviewed by Cursor Bugbot for commit 059ac8f. Configure here.
4 participants
Note
Medium Risk
Changes release automation and tagging/publishing behavior (GitHub Actions + release-plz), which can break release/versioning if misconfigured. No production runtime code paths are modified, but CI credentials/OIDC and version checks must be correct.
Overview
Adds an automated npm release pipeline for
@bulletxyz/sdk-wasm: a newNPM Publishworkflow builds onv*tags (or manual dispatch), verifies the tag semver matcheswasm/Cargo.toml+wasm/package.json, then publishes with OIDC provenance andlatest/rctagging.Updates
release-plzto use a single workspace-widev<version>tag, disables tag/release creation for the wasm crate, and adds a post-step that syncs the bumped Rust version intowasm/package.jsonon the release PR to keep npm and Cargo versions in lockstep.Introduces a reusable composite
Buildaction for WASM builds, centralizes workspace package metadata in the rootCargo.toml(and bumps resolver to3), addscargo-editto the Nix dev shell, and extendswasm/package.jsonwithbuild/prepublishOnlyscripts to ensure local publishes build unless running in CI.Reviewed by Cursor Bugbot for commit 059ac8f. Bugbot is set up for automated code reviews on this repo. Configure here.