solana-foundation
diff --git a/‎.github/scripts/publish-npmjs.sh‎
Lines changed: 65 additions & 0 deletions b/‎.github/scripts/publish-npmjs.sh‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎.github/workflows/build-cli.yaml‎
Lines changed: 86 additions & 0 deletions b/‎.github/workflows/build-cli.yaml‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎.github/workflows/publish-crates.yaml‎
Lines changed: 92 additions & 0 deletions b/‎.github/workflows/publish-crates.yaml‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎.github/workflows/publish-npmjs.yaml‎
Lines changed: 59 additions & 0 deletions b/‎.github/workflows/publish-npmjs.yaml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎.github/workflows/release-pr.yaml‎
Lines changed: 42 additions & 0 deletions b/‎.github/workflows/release-pr.yaml‎
Lines changed: 42 additions & 0 deletions
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+set -xeuo pipefail
+
+publish() {
+  local dir="$1"
+  pushd "$dir" >/dev/null
+
+  local name version
+  name="$(node -p "require('./package.json').name")"
+  version="$(node -p "require('./package.json').version")"
+
+  # We still build the package even if we don't publish it, as yarn workspace will
+  # use the local version of each package, and if it's unbuilt then any subsequent
+  # build will error out due to missing files.
+  yarn --frozen-lockfile
+  local dirname
+  dirname="$(basename "$dir")"
+  if [[ "$dirname" == spl-* ]]; then
+    yarn build:npm
+  else
+    yarn build
+  fi
+
+  if npm view "${name}@${version}" version >/dev/null 2>&1; then
+    echo "The package $dir is already up to date, skipping"
+    popd >/dev/null
+    return 0
+  fi
+
+  local publish_args=()
+  # If version looks like X.Y.Z-<something> (e.g. 1.0.0-rc.2), publish under dist-tag "next"
+  if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-.+ ]]; then
+    publish_args+=(--tag next)
+  fi
+
+  if [[ "${DRY_RUN:-false}" == "true" ]]; then
+    echo "Publishing $dir (${name}@${version}) as a dry-run"
+    npm publish "${publish_args[@]}" --dry-run
+  else
+    echo "Publishing $dir (${name}@${version})"
+    npm publish "${publish_args[@]}" --provenance --access public
+  fi
+
+  popd >/dev/null
+}
+
+base="ts/packages"
+
+publish "$base/borsh"
+publish "$base/anchor-errors"
+publish "$base/anchor"
+#publish "$base/spl-associated-token-account"
+#publish "$base/spl-binary-option"
+#publish "$base/spl-binary-oracle-pair"
+#publish "$base/spl-feature-proposal"
+#publish "$base/spl-governance"
+#publish "$base/spl-memo"
+#publish "$base/spl-name-service"
+#publish "$base/spl-record"
+#publish "$base/spl-stake-pool"
+#publish "$base/spl-stateless-asks"
+publish "$base/spl-token"
+#publish "$base/spl-token-lending"
+#publish "$base/spl-token-swap"
@@ -0,0 +1,86 @@
+name: Build CLI
+
+on:
+  workflow_call:
+    inputs:
+      dry_run:
+        description: "If true, use 'dry-run' as the version string instead of the tag"
+        required: true
+        type: boolean
+      dist:
+        description: "Directory name for distribution artifacts (e.g. dist-v1.2.3 or dist-dry-run)"
+        required: true
+        type: string
+
+jobs:
+  build-cli:
+    name: Build binaries${{ inputs.dry_run && ' (dry-run)' || '' }}
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+
+    strategy:
+      matrix:
+        target:
+          - aarch64-apple-darwin
+          - x86_64-unknown-linux-gnu
+          - x86_64-apple-darwin
+          - x86_64-pc-windows-msvc
+        include:
+          - target: aarch64-apple-darwin
+            os: macos-latest
+
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+
+          - target: x86_64-apple-darwin
+            os: macos-latest
+
+          - target: x86_64-pc-windows-msvc
+            os: windows-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
+        with:
+          toolchain: stable
+          target: ${{ matrix.target }}
+
+      - name: Install dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libudev-dev
+
+      - name: Build release binary
+        run: cargo build --package trixter-osec-anchor-cli --release --locked --target ${{ matrix.target }}
+
+      - name: Prepare
+        id: prepare
+        shell: bash
+        run: |
+          if [[ "${{ inputs.dry_run }}" == "true" ]]; then
+            version="dry-run"
+          else
+            version=$(echo $GITHUB_REF_NAME | cut -dv -f2)
+          fi
+          ext=""
+          [[ "${{ matrix.os }}" == windows-latest ]] && ext=".exe"
+
+          mkdir ${{ inputs.dist }}
+          mv "target/${{ matrix.target }}/release/anchor$ext" ${{ inputs.dist }}/anchor-$version-${{ matrix.target }}$ext
+
+          echo "version=$version" >> $GITHUB_OUTPUT
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-path: ${{ inputs.dist }}/anchor-${{ steps.prepare.outputs.version }}-${{ matrix.target }}*
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: anchor-${{ steps.prepare.outputs.version }}-${{ matrix.target }}
+          path: ${{ inputs.dist }}
+          overwrite: true
+          retention-days: 1
@@ -0,0 +1,92 @@
+name: Publish Crates
+
+on:
+  workflow_call:
+    inputs:
+      dry_run:
+        description: "If true, build crates instead of publishing them (packaging validation only)"
+        required: true
+        type: boolean
+
+jobs:
+  publish-crates-dry-run:
+    name: Publish crates (dry-run)
+    if: ${{ inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
+        with:
+          toolchain: stable
+
+      - name: Publish crates
+        run: |
+          set -xeuo pipefail
+
+          echo "Publishing all workspace packages as a dry-run"
+          cargo publish --workspace --locked --dry-run
+
+  publish-crates:
+    name: Publish crates
+    if: ${{ !inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+    environment:
+      name: release
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
+        with:
+          toolchain: stable
+
+      - name: Authenticate with crates.io
+        id: auth
+        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
+
+      - name: Publish crates
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+        run: |
+          set -xeuo pipefail
+
+          echo "Publishing all workspace packages"
+          cargo publish --workspace --locked
+
+      - name: Check for crate artifacts
+        id: crate-artifacts
+        if: ${{ !inputs.dry_run }}
+        run: |
+          shopt -s nullglob
+          files=(target/package/*.crate)
+          if [ ${#files[@]} -gt 0 ]; then
+            echo "found=true" >> "$GITHUB_OUTPUT"
+            cd target/package
+            sha256sum *.crate > SHA256SUMS
+            echo "--- Crate checksums ---"
+            cat SHA256SUMS
+          else
+            echo "found=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Attest crate checksum manifest
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        if: ${{ !inputs.dry_run && steps.crate-artifacts.outputs.found == 'true' }}
+        with:
+          subject-path: target/package/SHA256SUMS
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: ${{ !inputs.dry_run && steps.crate-artifacts.outputs.found == 'true' }}
+        with:
+          if-no-files-found: ignore
+          name: published-crates
+          path: |
+            target/package/*.crate
+            target/package/SHA256SUMS
@@ -0,0 +1,59 @@
+name: Publish npmjs
+
+on:
+  workflow_call:
+    inputs:
+      dry_run:
+        description: "If true, use --dry-run instead of actually publishing"
+        required: true
+        type: boolean
+
+jobs:
+  publish-npmjs-dry-run:
+    name: Publish npmjs packages (dry-run)
+    if: ${{ inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Enable corepack (yarn)
+        run: corepack enable
+
+      - name: Publish npmjs packages
+        env:
+          DRY_RUN: "true"
+        run: bash .github/scripts/publish-npmjs.sh
+
+  publish-npmjs:
+    name: Publish npmjs packages
+    if: ${{ !inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment:
+      name: release
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Enable corepack (yarn)
+        run: corepack enable
+
+      - name: Publish npmjs packages
+        env:
+          DRY_RUN: "false"
+        run: bash .github/scripts/publish-npmjs.sh
@@ -0,0 +1,42 @@
+name: Release Dry-run
+
+on:
+  pull_request:
+    branches:
+      - master
+
+    paths:
+      - VERSION
+      - github/workflows/release-pr.yaml
+      - github/workflows/build-cli.yaml
+      - github/workflows/publish-crates.yaml
+      - github/workflows/publish-npmjs.yaml
+
+  workflow_dispatch:
+
+env:
+  DIST: dist-dry-run
+
+jobs:
+  publish-crates-dryrun:
+    name: Publish crates (dry-run)
+    uses: ./.github/workflows/publish-crates.yaml
+    with:
+      dry_run: true
+
+  publish-npmjs-dryrun:
+    name: Publish npmjs packages (dry-run)
+    uses: ./.github/workflows/publish-npmjs.yaml
+    with:
+      dry_run: true
+
+  # We skip checking if the Docker image builds for now as it depends on the version tag already existing,
+  # though as we already have the `build-cli-dryrun` step below there should be rarely any reason for the
+  # image build to ever fail anyway.
+
+  build-cli-dryrun:
+    name: Build binaries (dry-run)
+    uses: ./.github/workflows/build-cli.yaml
+    with:
+      dry_run: true
+      dist: dist-dry-run