hyperlane-monorepo/.github/workflows/release.yml at b5b553278c0dc76055c07235e65afe788d3b727c · hyperlane-xyz/hyperlane-monorepo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
name: Release

on:
  push:
    branches:
      - main
    paths:
      - '.changeset/**'
      - '**/package.json'
      - 'typescript/**'
      - '!typescript/infra/**'
      - '!typescript/ccip-server/**'
      - '!typescript/github-proxy/**'
      - '!typescript/http-registry-server/**'
      - '!typescript/tsconfig/**'
      - 'solidity/**'
      - 'starknet/**'
      - 'pnpm-lock.yaml'
      - '.github/workflows/release.yml'
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      snapshot_tag:
        description: 'NPM dist-tag for the beta release'
        required: true
        default: 'beta'
        type: choice
        options:
          - beta
          - alpha
          - rc
          - preview
      include_zksync:
        description: 'Include ZKSync build artifacts (adds ~6min)'
        required: false
        default: false
        type: boolean

concurrency: ${{ github.workflow }}-${{ github.ref }}

env:
  LOG_FORMAT: PRETTY
  TURBO_TELEMETRY_DISABLED: 1
  TURBO_API: https://cache.depot.dev
  TURBO_TOKEN: ${{ secrets.DEPOT_TURBO_TOKEN }}
  TURBO_TEAM: ${{ secrets.DEPOT_ORG_ID }}

jobs:
  # This job prepares the release by creating or updating a release PR.
  # Notice the omission of the `publish` flag in the changesets action.
  prepare-release:
    if: github.event_name == 'push'
    permissions:
      id-token: write
      contents: write
      pull-requests: write
    runs-on: depot-ubuntu-24.04
    steps:
      # Generate GitHub App token first.
      # Used by checkout fetch + changesets/action (via GITHUB_TOKEN) for release PR auth.
      - name: Generate GitHub App Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}

      - name: Checkout Repo
        uses: actions/checkout@v6
        with:
          # check out full history
          fetch-depth: 0
          submodules: recursive
          persist-credentials: false
          token: ${{ steps.generate-token.outputs.token }}

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: .nvmrc

      - name: Setup pnpm
        uses: pnpm/action-setup@v4

      - name: Install Dependencies
        run: pnpm install --frozen-lockfile

      - name: Get GitHub App User ID
        id: get-user-id
        run: echo "user-id=$(gh api /users/${{ steps.generate-token.outputs.app-slug }}[bot] --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

      - name: Configure Git for Hyper Gonk
        run: |
          git config user.name "${{ steps.generate-token.outputs.app-slug }}[bot]"
          git config user.email "${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com"

      - name: Create Release PR
        id: changesets
        uses: changesets/action@v1
        with:
          title: 'chore: release npm packages'
          version: pnpm version:prepare
          setupGitUser: false
        env:
          NPM_CONFIG_PROVENANCE: true
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}

  check-latest-published:
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    outputs:
      all_latest: ${{ steps.check.outputs.all_latest }}
    steps:
      - uses: actions/checkout@v6

      - name: Retrieve package versions
        id: pkg
        run: |
          find . -name 'package.json' -print0 | while IFS= read -r -d '' pkg; do
            jq -r 'select(.private != true) | .name + "@" + .version' "$pkg"
          done | tee versions.txt

      - name: Compare package versions
        id: check
        run: |
          all_latest=true
          while read -r pkg; do
            echo "Checking if $pkg is published..."
            exists=$(npm view "$pkg" version 2>/dev/null || echo "N/A")
            echo "npm returned: $exists"
            if [ "$exists" = "N/A" ]; then
              echo "$pkg is NOT published."
              all_latest=false
              break
            else
              echo "$pkg is published."
            fi
          done < versions.txt
          echo "all_latest=$all_latest" >> $GITHUB_OUTPUT

  # If we detect that not all packages are published, we run the
  # cli-install-test workflow to verify that the CLI installs correctly.
  # Windows is excluded here for speed but tested nightly via cli-install-test.yml.
  cli-install-cross-platform-release-test:
    needs: [check-latest-published]
    if: github.event_name == 'push' && needs.check-latest-published.outputs.all_latest == 'false'
    uses: ./.github/workflows/cli-install-test.yml
    with:
      include-windows: false

  # This job publishes the release to NPM.
  publish-release:
    needs: cli-install-cross-platform-release-test
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    permissions:
      id-token: write
      contents: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      # Generate GitHub App token first.
      # Used by checkout fetch + changesets/action (via GITHUB_TOKEN) for publish auth.
      - name: Generate GitHub App Token
        id: generate-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.HYPER_GONK_APP_ID }}
          private-key: ${{ secrets.HYPER_GONK_PRIVATE_KEY }}

      - name: Checkout Repo
        uses: actions/checkout@v6
        with:
          # check out full history
          fetch-depth: 0
          submodules: recursive
          persist-credentials: false
          token: ${{ steps.generate-token.outputs.token }}

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version-file: .nvmrc
          registry-url: 'https://registry.npmjs.org'

      - name: Setup Foundry
        uses: ./.github/actions/setup-foundry

      - name: Setup pnpm
        uses: pnpm/action-setup@v4

      - name: Install Dependencies
        run: pnpm install --frozen-lockfile

      - name: Get GitHub App User ID
        id: get-user-id
        run: echo "user-id=$(gh api /users/${{ steps.generate-token.outputs.app-slug }}[bot] --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

      - name: Configure Git for Hyper Gonk
        run: |
          git config user.name "${{ steps.generate-token.outputs.app-slug }}[bot]"
          git config user.email "${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com"

      - name: Publish Release to NPM
        id: changesets
        uses: changesets/action@v1
        with:
          title: 'chore: release npm packages'
          version: pnpm version:prepare
          publish: pnpm release
          setupGitUser: false
        env:
          NPM_CONFIG_PROVENANCE: true
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}

  publish-beta:
    if: github.event_name == 'workflow_dispatch'
    concurrency:
      group: npm-beta-release
      cancel-in-progress: false
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          submodules: recursive
          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: .nvmrc
          registry-url: 'https://registry.npmjs.org'

      - name: Check for changesets
        run: |
          CHANGESET_COUNT=$(find .changeset -name "*.md" ! -name "README.md" ! -name "config.json" 2>/dev/null | wc -l | tr -d ' ')
          if [ "$CHANGESET_COUNT" -eq 0 ]; then
            echo "::error::No pending changesets found. Beta releases require pending changeset files."
            echo ""
            echo "To create a beta release:"
            echo "1. Add a changeset: pnpm exec changeset"
            echo "2. Commit the changeset file"
            echo "3. Run this workflow again"
            exit 1
          fi
          echo "Found $CHANGESET_COUNT changeset(s)"

      - name: Setup pnpm
        uses: pnpm/action-setup@v4

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      # Need to install foundry for the build step. `hardhat-foundry` expects foundry to be installed.
      - name: Setup Foundry
        uses: ./.github/actions/setup-foundry

      # Build BEFORE snapshot versioning so turbo cache hits are preserved.
      # Snapshot versioning rewrites every package.json, which invalidates turbo hashes.
      - name: Build packages
        run: pnpm run build

      - name: Inspect SDK dist after build
        run: |
          echo "Source cross-collateral predicate:"
          rg -n "isCrossCollateralToken|SealevelHypCrossCollateral" typescript/sdk/src/token/Token.ts
          echo ""
          echo "Dist token entry:"
          sed -n '1,12p' typescript/sdk/dist/token/Token.js || true
          echo ""
          echo "Dist TokenMetadata predicate:"
          sed -n '70,90p' typescript/sdk/dist/token/TokenMetadata.js || true
          echo ""
          if [ -f typescript/sdk/dist/token/TokenMetadata.js ] && \
             rg -q "SealevelHypCrossCollateral" typescript/sdk/src/token/Token.ts && \
             ! rg -q "SealevelHypCrossCollateral" typescript/sdk/dist/token/TokenMetadata.js; then
            echo "::error::SDK dist is stale on CI: source includes SealevelHypCrossCollateral but dist/token/TokenMetadata.js does not"
            exit 1
          fi
          echo "No sdk dist/source mismatch detected"

      - name: Build ZKSync artifacts
        if: inputs.include_zksync
        run: pnpm run build:zk

      - name: Create snapshot versions
        run: pnpm exec changeset version --snapshot ${{ inputs.snapshot_tag }}

      - name: Get snapshot version
        id: version
        run: |
          SNAPSHOT_VERSION=$(node -p "require('./typescript/sdk/package.json').version")
          echo "snapshot=$SNAPSHOT_VERSION" >> $GITHUB_OUTPUT

      - name: Publish beta packages
        run: pnpm exec changeset publish --tag ${{ inputs.snapshot_tag }} --no-git-tag
        env:
          NPM_CONFIG_PROVENANCE: true

      - name: Summary
        run: |
          echo "### Beta Release Published" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Version:** \`${{ steps.version.outputs.snapshot }}\`" >> $GITHUB_STEP_SUMMARY
          echo "**NPM Tag:** \`${{ inputs.snapshot_tag }}\`" >> $GITHUB_STEP_SUMMARY
          echo "**Branch:** \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Install with:" >> $GITHUB_STEP_SUMMARY
          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
          echo "npm install @hyperlane-xyz/sdk@${{ inputs.snapshot_tag }}" >> $GITHUB_STEP_SUMMARY
          echo "npm install @hyperlane-xyz/cli@${{ inputs.snapshot_tag }}" >> $GITHUB_STEP_SUMMARY
          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

  notify-publish-failure:
    if: >-
      always() && (
        needs.publish-release.result == 'failure' ||
        needs.check-latest-published.result == 'failure' ||
        needs.cli-install-cross-platform-release-test.result == 'failure'
      )
    needs:
      [
        check-latest-published,
        cli-install-cross-platform-release-test,
        publish-release,
      ]
    runs-on: ubuntu-latest
    steps:
      - name: Notify Slack on publish failure
        uses: slackapi/slack-github-action@v3
        with:
          webhook: ${{ secrets.SLACK_INCIDENTS_WEBHOOK }}
          webhook-type: incoming-webhook
          payload: |
            text: ":alert: NPM package publish failed — see workflow run for details"
            blocks:
              - type: "section"
                text:
                  type: "mrkdwn"
                  text: ":alert: *NPM package publish failed*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View workflow run #${{ github.run_number }}>"