fix: use temporary path per workflow run #4032
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: EDR NPM release | |
| env: | |
| DEBUG: napi:* | |
| APP_NAME: edr | |
| NUMBER_OF_TARGETS: 7 | |
| permissions: {} | |
| on: | |
| push: | |
| # pre-releases will be triggered in any of these branches | |
| # production releases will only be triggered for `main` | |
| branches: | |
| - main | |
| - prerelease | |
| - hh2 | |
| - feat/solidity-tests | |
| tags-ignore: | |
| - "**" | |
| paths-ignore: | |
| - "**/*.md" | |
| - LICENSE | |
| - "**/*.gitignore" | |
| - .editorconfig | |
| - docs/** | |
| pull_request: null | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: stable - ${{ matrix.settings.target }} - node@20 | |
| runs-on: ${{ matrix.settings.host }} | |
| needs: check_commit | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - host: macos-15-intel | |
| target: x86_64-apple-darwin | |
| build: pnpm run build --strip | |
| - host: macos-14 | |
| target: aarch64-apple-darwin | |
| build: pnpm run build --strip | |
| - host: windows-2025 | |
| target: x86_64-pc-windows-msvc | |
| build: pnpm run build --strip | |
| # NTFS small-file creates are ~5-10x slower than ext4/APFS, | |
| # so napi-rs's pre-cargo `cargo metadata` step burns ~50s | |
| # extracting ~500 .crate tarballs into registry/src/ on warm | |
| # runs without this. Other platforms re-extract fast enough | |
| # that caching it isn't worth the size hit. | |
| cache_extra_paths: ~/.cargo/registry/src/ | |
| - host: ubuntu-24.04 | |
| target: x86_64-unknown-linux-gnu | |
| docker: node:20-bullseye-slim | |
| flavor: gnu | |
| - host: ubuntu-24.04-arm | |
| target: aarch64-unknown-linux-gnu | |
| docker: node:20-bullseye-slim | |
| flavor: gnu | |
| - host: ubuntu-24.04 | |
| target: x86_64-unknown-linux-musl | |
| docker: node:20-alpine3.20 | |
| flavor: musl | |
| - host: ubuntu-24.04-arm | |
| target: aarch64-unknown-linux-musl | |
| docker: node:20-alpine3.20 | |
| flavor: musl | |
| outputs: | |
| commit_sha: ${{ steps.save-commit.outputs.commit_sha}} | |
| defaults: | |
| run: | |
| working-directory: ./crates/edr_napi | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall | |
| - name: Save HEAD commit sha | |
| id: save-commit | |
| shell: bash | |
| run: | | |
| COMMIT_SHA=$(git rev-parse HEAD) | |
| echo "Current HEAD: $COMMIT_SHA" | |
| echo "commit_sha=$COMMIT_SHA" >> $GITHUB_OUTPUT | |
| - name: Check number of targets | |
| shell: bash | |
| run: | | |
| echo "Number of build jobs: ${{ strategy.job-total }}" | |
| echo "Expected number of build jobs: $NUMBER_OF_TARGETS" | |
| test ${{ strategy.job-total }} -eq "$NUMBER_OF_TARGETS" | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # latest main commit (2025-11-17) | |
| if: ${{ !matrix.settings.docker }} | |
| with: | |
| toolchain: stable | |
| targets: ${{ matrix.settings.target }} | |
| components: rust-src | |
| - name: Setup node and pnpm | |
| if: ${{ !matrix.settings.docker }} | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: 20 | |
| # Release commits build cold: napi codegen relies on proc-macro | |
| # expansion (napi-rs#1297), so warm-cache builds risk shipping | |
| # stale or empty index.js / index.d.ts. Don't enable for releases. | |
| - name: Cache cargo | |
| if: needs.check_commit.outputs.tag == '' | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| ${{ matrix.settings.cache_extra_paths }} | |
| key: ${{ matrix.settings.target }}-cargo-v5-${{ matrix.settings.host }}-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ matrix.settings.target }}-cargo-v5-${{ matrix.settings.host }}- | |
| - name: Install dependencies (non-Windows) | |
| if: ${{ !matrix.settings.docker && runner.os != 'Windows' }} | |
| run: sfw pnpm install --frozen-lockfile --prefer-offline | |
| # SFW doesn't install dependencies correctly on Windows | |
| # https://github.com/NomicFoundation/edr/issues/1199 | |
| - name: Install dependencies (Windows) | |
| if: ${{ !matrix.settings.docker && runner.os == 'Windows' }} | |
| run: pnpm install --frozen-lockfile --prefer-offline | |
| - name: Build (non-docker) | |
| if: ${{ !matrix.settings.docker }} | |
| run: ${{ matrix.settings.build }} | |
| shell: bash | |
| - name: Build in docker (gnu) | |
| uses: NomicFoundation/docker-run-action@63f044457cfb71a5c63fa589218c89a418565d9c # Fork of v3 with updated Docker (https://github.com/addnab/docker-run-action/issues/62) | |
| if: ${{ matrix.settings.docker && matrix.settings.flavor == 'gnu'}} | |
| with: | |
| image: ${{ matrix.settings.docker }} | |
| # /home/runner/.cargo matches where the host's `Cache cargo` step writes | |
| # (`~/.cargo` on GH-hosted Linux runners); docker -v doesn't expand `~` and | |
| # GHA has no `runner.home` context, so the path is hardcoded. | |
| options: "--user 0:0 -v /home/runner/.cargo/git:/usr/local/cargo/git -v /home/runner/.cargo/registry:/usr/local/cargo/registry -v ${{ github.workspace }}:/build -w /build/crates/edr_napi" | |
| run: | | |
| set -e | |
| # Install Rust toolchain | |
| apt-get update | |
| apt-get install -y curl ca-certificates build-essential pkg-config | |
| curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain stable | |
| export PATH="/root/.cargo/bin:$PATH" | |
| npm i -g pnpm@10.34.3 --ignore-scripts | |
| pnpm -v | |
| npm i -g sfw | |
| sfw pnpm install --frozen-lockfile --prefer-offline | |
| pnpm run build --strip | |
| # SFW is not provided on musl versions of Linux | |
| # https://github.com/NomicFoundation/edr/issues/1198 | |
| - name: Build in docker (musl) | |
| uses: NomicFoundation/docker-run-action@63f044457cfb71a5c63fa589218c89a418565d9c # Fork of v3 with updated Docker (https://github.com/addnab/docker-run-action/issues/62) | |
| if: ${{ matrix.settings.docker && matrix.settings.flavor == 'musl' }} | |
| with: | |
| image: ${{ matrix.settings.docker }} | |
| # See gnu step above for why /home/runner/.cargo is hardcoded. | |
| options: "--user 0:0 -v /home/runner/.cargo/git:/usr/local/cargo/git -v /home/runner/.cargo/registry:/usr/local/cargo/registry -v ${{ github.workspace }}:/build -w /build/crates/edr_napi" | |
| run: | | |
| set -e | |
| # Install Rust toolchain | |
| apk add --no-cache build-base python3 make git pkgconfig openssl openssl-dev ca-certificates curl bash perl cmake | |
| # Conditional symlink only for ARM builds | |
| if [ "${{ matrix.settings.target }}" = "aarch64-unknown-linux-musl" ]; then | |
| ln -sf /usr/bin/gcc /usr/bin/aarch64-linux-musl-gcc | |
| fi | |
| curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain stable | |
| export PATH="/root/.cargo/bin:$PATH" | |
| npm i -g pnpm@10.34.3 --ignore-scripts | |
| pnpm -v | |
| pnpm install --frozen-lockfile --prefer-offline | |
| pnpm run build --strip | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: bindings-${{ matrix.settings.target }} | |
| # The upload artifact action doesn't respect the working directory setting. Unclear if this is a bug or not | |
| # https://github.com/actions/upload-artifact/issues/294 | |
| path: ./crates/edr_napi/${{ env.APP_NAME }}.*.node | |
| if-no-files-found: error | |
| test-macOS-windows-binding: | |
| name: Test bindings on ${{ matrix.settings.target }} - node@${{ matrix.node }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - host: macos-15-intel | |
| target: x86_64-apple-darwin | |
| - host: macos-14 | |
| target: aarch64-apple-darwin | |
| - host: windows-2022 | |
| target: x86_64-pc-windows-msvc | |
| node: | |
| - "20" | |
| - "22" | |
| runs-on: ${{ matrix.settings.host }} | |
| defaults: | |
| run: | |
| working-directory: ./crates/edr_napi | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node and pnpm | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --prefer-offline | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: bindings-${{ matrix.settings.target }} | |
| path: ./crates/edr_napi/ | |
| - name: List packages | |
| run: ls -R . | |
| shell: bash | |
| - name: Test bindings | |
| run: pnpm testNoBuild | |
| test-linux-x64-gnu-binding: | |
| name: Test bindings on Linux-x64-gnu - node@${{ matrix.node }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - "20" | |
| - "22" | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node and pnpm | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --prefer-offline | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: bindings-x86_64-unknown-linux-gnu | |
| path: ./crates/edr_napi/ | |
| - name: List packages | |
| run: ls -R . | |
| shell: bash | |
| - name: Test bindings | |
| # Setting CI=1 is important to make PNPM install non-interactive | |
| # https://github.com/pnpm/pnpm/issues/6615#issuecomment-1656945689 | |
| run: docker run --rm -e CI=1 -v $(pwd):/build -w /build/crates/edr_napi node:${{ matrix.node }} bash -c "npm install -g pnpm@10.34.3; pnpm testNoBuild" | |
| test-linux-x64-musl-binding: | |
| name: Test bindings on x86_64-unknown-linux-musl - node@${{ matrix.node }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - "20" | |
| - "22" | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node and pnpm | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --prefer-offline --libc=musl | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: bindings-x86_64-unknown-linux-musl | |
| path: ./crates/edr_napi/ | |
| - name: List packages | |
| run: ls -R . | |
| shell: bash | |
| - name: Test bindings | |
| run: docker run --rm -e CI=1 -v $(pwd):/build -w /build/crates/edr_napi node:${{ matrix.node }}-alpine sh -c "npm install -g pnpm@10.34.3; pnpm testNoBuild" | |
| test-linux-aarch64-gnu-binding: | |
| name: Test bindings on aarch64-unknown-linux-gnu - node@${{ matrix.node }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - "20" | |
| - "22" | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node and pnpm | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: bindings-aarch64-unknown-linux-gnu | |
| path: ./crates/edr_napi/ | |
| - name: List packages | |
| run: ls -R . | |
| shell: bash | |
| - name: Install dependencies | |
| run: | | |
| pnpm install --frozen-lockfile --prefer-offline --cpu=arm64 --libc=glibc | |
| - name: Setup and run tests | |
| uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 #v3 | |
| with: | |
| image: node:${{ matrix.node }} | |
| options: "--platform linux/arm64 -v ${{ github.workspace }}:/build -w /build/crates/edr_napi -e CI=1" | |
| run: | | |
| npm install -g pnpm@10.34.3 | |
| set -e | |
| pnpm testNoBuild | |
| ls -la | |
| test-linux-aarch64-musl-binding: | |
| name: Test bindings on aarch64-unknown-linux-musl - node@${{ matrix.node }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - "20" | |
| - "22" | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node and pnpm | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: bindings-aarch64-unknown-linux-musl | |
| path: ./crates/edr_napi/ | |
| - name: List packages | |
| run: ls -R . | |
| shell: bash | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --prefer-offline --cpu=arm64 --libc=musl | |
| - name: Setup and run tests | |
| uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 | |
| with: | |
| image: node:${{ matrix.node }}-alpine | |
| options: "--platform linux/arm64 -v ${{ github.workspace }}:/build -w /build/crates/edr_napi -e CI=1" | |
| run: | | |
| npm install -g pnpm@10.34.3 | |
| set -e | |
| pnpm testNoBuild | |
| check_commit: | |
| name: Check commit | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - name: Check if commit message is a release commit | |
| id: check_commit | |
| run: | | |
| # matches with pre-release commits: edr release name but ends with - and some postfix like beta | |
| if git log -1 --pretty=%B | grep "^edr-[0-9]\+\.[0-9]\+\.[0-9]\+-"; | |
| then | |
| if [ "${{ github.event_name }}" = "push" ] | |
| then | |
| echo "pre-release commit: tag=next" | |
| echo "tag=next" >> "$GITHUB_OUTPUT" | |
| fi | |
| # matches with release commit | |
| elif git log -1 --pretty=%B | grep "^edr-[0-9]\+\.[0-9]\+\.[0-9]\+\s*"; | |
| then | |
| if [ "$GITHUB_REF" == "refs/heads/main" -o "$GITHUB_REF" == "refs/heads/hh2" ] | |
| then | |
| echo "release commit: tag=latest" | |
| echo "tag=latest" >> "$GITHUB_OUTPUT" | |
| fi | |
| fi | |
| outputs: | |
| tag: ${{ steps.check_commit.outputs.tag }} | |
| prepare: | |
| name: Prepare release bundle | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| needs: | |
| - build | |
| - test-macOS-windows-binding | |
| - test-linux-x64-gnu-binding | |
| - test-linux-x64-musl-binding | |
| - test-linux-aarch64-gnu-binding | |
| - test-linux-aarch64-musl-binding | |
| defaults: | |
| run: | |
| working-directory: ./crates/edr_napi | |
| outputs: | |
| filename: ${{ steps.pack.outputs.filename }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node | |
| uses: ./.github/actions/setup-node | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --prefer-offline | |
| - name: Install sponge # needed for prepublish script | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y moreutils | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: ./crates/edr_napi/artifacts | |
| - name: Run prepublish to update all `package.json` files | |
| # we NEED to to this before pnpm artifacts, if not prepublish will try to publish | |
| run: ../../scripts/prepublish.sh | |
| - name: Move artifacts | |
| run: pnpm artifacts | |
| - name: Copy coverage library into edr_napi crate | |
| run: cp ../../data/contracts/coverage.sol ./coverage.sol | |
| - name: Compile TypeScript helpers | |
| run: pnpm exec tsc | |
| - name: Create bundle with pnpm root & napi files | |
| # create custom tar.gz because pnpm pack only packs root package and we need the platform-specific ones as well | |
| id: pack | |
| run: | | |
| FILENAME="${{ env.APP_NAME }}_bundle.tar.gz" | |
| NAPI_EXTRA_FILES=("npm/" "LICENSE" "README.md" "package.json" "Cargo.toml" "coverage.sol") | |
| readarray -t FILES < <(cat package.json | jq -r .files[] ) | |
| ALL_FILES=("${FILES[@]}" "${NAPI_EXTRA_FILES[@]}") | |
| NAPI_FILES=() | |
| for file in "${ALL_FILES[@]}"; do | |
| NAPI_FILES+=("crates/edr_napi/${file}") | |
| done | |
| cd ../.. # cd to root dir | |
| echo "Creating bundle with necessary files for publishing" | |
| ROOT_FILES=("package.json" "Cargo.lock" "Cargo.toml" "pnpm-lock.yaml" "pnpm-workspace.yaml") | |
| ALL_FILES=("${ROOT_FILES[@]}" "${NAPI_FILES[@]}") | |
| echo "files to include in tar: ${ALL_FILES[@]}" | |
| # Using --dereference since LICENSE file are symlinks | |
| tar --dereference -czvf $FILENAME "${ALL_FILES[@]}" | |
| echo "FILENAME=$FILENAME" | |
| echo "filename=$FILENAME" >> $GITHUB_OUTPUT | |
| - name: Upload packed tarball | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: ${{ steps.pack.outputs.filename }} | |
| path: ./${{ steps.pack.outputs.filename }} | |
| retention-days: 2 | |
| overwrite: true | |
| if-no-files-found: error | |
| review: | |
| name: Review release | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| needs: | |
| - build | |
| - prepare | |
| steps: | |
| - name: Download packed tarball | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ${{ needs.prepare.outputs.filename }} | |
| path: . | |
| - name: Decompress tarball | |
| run: tar -xvzf ${{ needs.prepare.outputs.filename }} | |
| - name: Inspect contents | |
| run: tree . | |
| - name: Check number of artifacts | |
| shell: bash | |
| run: | | |
| # get number of artifacts with unique names | |
| NUMBER_OF_ARTIFACTS=$(ls -1q crates/edr_napi/npm/*/*.node | xargs -n 1 basename | sort | uniq | wc -l) | |
| echo "Number of unique artifacts: $NUMBER_OF_ARTIFACTS" | |
| echo "Expected number of unique artifacts: $NUMBER_OF_TARGETS" | |
| test "$NUMBER_OF_ARTIFACTS" -eq "$NUMBER_OF_TARGETS" | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 | |
| - name: Setup node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| id: setup-node | |
| with: | |
| node-version: 22 | |
| cache: pnpm | |
| - name: Validate that packages have everything for publishing | |
| run: | | |
| cd crates/edr_napi | |
| # Check in every cross-platform package | |
| for platform in ./npm/* ; do | |
| cd $platform | |
| pnpm publish --dry-run | |
| cd - | |
| done | |
| # And in root edr package | |
| pnpm publish --dry-run | |
| - name: Checkout repository for comparison | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| path: remote-repository | |
| persist-credentials: false | |
| ref: ${{ needs.build.outputs.commit_sha }} | |
| - name: Validate there were no modifications to `package.json` when building | |
| run: | | |
| git diff --color=always --exit-code --no-index remote-repository/package.json ./package.json | |
| - name: Validate there were no modifications to `Cargo.toml` when building | |
| run: | | |
| git diff --color=always --exit-code --no-index remote-repository/Cargo.toml ./Cargo.toml | |
| - name: Validate there were no modifications to `Cargo.lock` when building | |
| run: | | |
| git diff --color=always --exit-code --no-index remote-repository/Cargo.lock ./Cargo.lock | |
| # Extra-defensive cooldown check: `main` branch and PRs already require passing this in CI, | |
| # but we re-check here to guarantee we never release with too-fresh dependencies. | |
| cooldown-check: | |
| name: Cargo cooldown check | |
| runs-on: ubuntu-24.04 | |
| needs: check_commit | |
| if: ${{ needs.check_commit.outputs.tag != '' }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-rust | |
| - name: Cache cooldown data | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: | | |
| **/edr-cache/cargo-cooldown-check | |
| key: cooldown-check-v1-${{ hashFiles('**/Cargo.lock') }} | |
| - uses: NomicFoundation/cargo-cooldown-check@ac40e701f9f1155741a761ac9039987fb892af4b | |
| notify-deploy: | |
| name: Notify pre-deploy to Slack | |
| runs-on: ubuntu-24.04 | |
| needs: [check_commit, cooldown-check, prepare, review] | |
| if: ${{ needs.check_commit.outputs.tag != '' }} | |
| steps: | |
| - name: Notify pre-deploy | |
| uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 | |
| with: | |
| webhook: ${{ secrets.PUBLISHING_NOTIFICATIONS_SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "Workflow: *${{ github.workflow }}*\n 📝 Deployment review requested for `edr-release`", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Workflow: *${{ github.workflow }}*\n 📝 Deployment review requested for `edr-release`" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Commit:* <${{ github.event.head_commit.url || github.event.pull_request.html_url }}|View commit>\n*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Open workflow run>" | |
| } | |
| } | |
| ] | |
| } | |
| publish: | |
| name: Publish | |
| environment: edr-release | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| id-token: write # Needed for npm Trusted Publishing (OIDC) | |
| needs: [check_commit, notify-deploy, prepare, review] | |
| # Only run workflow if there is a tag defined | |
| if: ${{ needs.check_commit.outputs.tag != '' }} | |
| steps: | |
| - name: Notify deployment to Slack | |
| uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 | |
| with: | |
| webhook: ${{ secrets.PUBLISHING_NOTIFICATIONS_SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "Workflow: *${{ github.workflow }}*\n ✅ Deployment review approved \n 🚀 Starting deployment to `edr-release`", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Workflow: *${{ github.workflow }}*\n ✅ Deployment review approved \n 🚀 Starting deployment to `edr-release`" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Commit:* <${{ github.event.head_commit.url || github.event.pull_request.html_url }}|View commit>\n*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Open workflow run>" | |
| } | |
| } | |
| ] | |
| } | |
| - name: Download packed tarball | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ${{ needs.prepare.outputs.filename }} | |
| path: . | |
| - name: Decompress tarball | |
| run: tar -xvzf ${{ needs.prepare.outputs.filename }} | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 | |
| - name: Setup node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| id: setup-node | |
| with: | |
| node-version: 22 | |
| package-manager-cache: false | |
| - name: Update npm to make sure it supports Trusted Publishing | |
| run: npm install -g npm@v11.6.2 | |
| - name: Publish | |
| run: | | |
| if [ "${{ needs.check_commit.outputs.tag}}" = "next" ] | |
| then | |
| echo "Publishing pre-release" | |
| elif [ "${{ needs.check_commit.outputs.tag}}" = "latest" ] | |
| then | |
| echo "Publishing release" | |
| else | |
| echo "Unrecognized tag ${{ needs.check_commit.outputs.tag}}. Skipping publish" | |
| exit 1 | |
| fi | |
| # We need to publish the contests of crates/edr_napi only | |
| cd ./crates/edr_napi | |
| # First publish every cross-platform package | |
| for platform in ./npm/* ; do | |
| cd $platform | |
| pnpm publish --no-git-checks --tag ${{ needs.check_commit.outputs.tag}} --access public | |
| cd - | |
| done | |
| # Finally Publish edr napi root package (because it depends on the cross-platform ones) | |
| pnpm publish --no-git-checks --tag ${{ needs.check_commit.outputs.tag}} --access public |