feat: backport CI release process

Author: trixter-osec

.github/scripts/publish-npmjs.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+set -xeuo pipefail
+
+publish() {
+  local dir="$1"
+  pushd "$dir" >/dev/null
+
+  local name version
+  name="$(node -p "require('./package.json').name")"
+  version="$(node -p "require('./package.json').version")"
+
+  # We still build the package even if we don't publish it, as yarn workspace will
+  # use the local version of each package, and if it's unbuilt then any subsequent
+  # build will error out due to missing files.
+  yarn --frozen-lockfile
+  local dirname
+  dirname="$(basename "$dir")"
+  if [[ "$dirname" == spl-* ]]; then
+    yarn build:npm
+  else
+    yarn build
+  fi
+
+  if npm view "${name}@${version}" version >/dev/null 2>&1; then
+    echo "The package $dir is already up to date, skipping"
+    popd >/dev/null
+    return 0
+  fi
+
+  local publish_args=()
+  # If version looks like X.Y.Z-<something> (e.g. 1.0.0-rc.2), publish under dist-tag "next"
+  if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-.+ ]]; then
+    publish_args+=(--tag next)
+  fi
+
+  if [[ "${DRY_RUN:-false}" == "true" ]]; then
+    echo "Publishing $dir (${name}@${version}) as a dry-run"
+    npm publish "${publish_args[@]}" --dry-run
+  else
+    echo "Publishing $dir (${name}@${version})"
+    npm publish "${publish_args[@]}" --provenance --access public
+  fi
+
+  popd >/dev/null
+}
+
+base="ts/packages"
+
+publish "$base/borsh"
+publish "$base/anchor-errors"
+publish "$base/anchor"
+#publish "$base/spl-associated-token-account"
+#publish "$base/spl-binary-option"
+#publish "$base/spl-binary-oracle-pair"
+#publish "$base/spl-feature-proposal"
+#publish "$base/spl-governance"
+#publish "$base/spl-memo"
+#publish "$base/spl-name-service"
+#publish "$base/spl-record"
+#publish "$base/spl-stake-pool"
+#publish "$base/spl-stateless-asks"
+publish "$base/spl-token"
+#publish "$base/spl-token-lending"
+#publish "$base/spl-token-swap"

.github/workflows/build-cli.yaml

@@ -0,0 +1,97 @@
+name: Build CLI
+
+on:
+  workflow_call:
+    inputs:
+      dry_run:
+        description: "If true, use 'dry-run' as the version string instead of the tag"
+        required: true
+        type: boolean
+      dist:
+        description: "Directory name for distribution artifacts (e.g. dist-v1.2.3 or dist-dry-run)"
+        required: true
+        type: string
+
+jobs:
+  build-cli:
+    name: Build binaries${{ inputs.dry_run && ' (dry-run)' || '' }} (${{matrix.os}})
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+
+    strategy:
+      matrix:
+        target:
+          - aarch64-apple-darwin
+          - x86_64-unknown-linux-gnu
+          - x86_64-apple-darwin
+          - x86_64-pc-windows-msvc
+        include:
+          - target: aarch64-apple-darwin
+            os: macos-latest
+
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+
+          - target: x86_64-apple-darwin
+            os: macos-latest
+
+          - target: x86_64-pc-windows-msvc
+            os: windows-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
+        with:
+          toolchain: stable
+          target: ${{ matrix.target }}
+
+      - name: Install dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libudev-dev
+
+      # FIXME: The global system LLVM on GitHub is very outdated, and LTO causes link errors
+      - name: Build release binary (macOS)
+        if: runner.os == 'macOS'
+        env:
+          CARGO_PROFILE_RELEASE_LTO: "off"
+          RUSTFLAGS: -C embed-bitcode=no
+        run: cargo build --package anchor-cli --release --locked --target ${{ matrix.target }}
+
+      - name: Build release binary
+        if: runner.os != 'macOS'
+        run: cargo build --package anchor-cli --release --locked --target ${{ matrix.target }}
+
+      - name: Prepare
+        id: prepare
+        shell: bash
+        run: |
+          if [[ "${{ inputs.dry_run }}" == "true" ]]; then
+            version="dry-run"
+          else
+            version=$(echo $GITHUB_REF_NAME | cut -dv -f2)
+          fi
+          ext=""
+          [[ "${{ matrix.os }}" == windows-latest ]] && ext=".exe"
+
+          mkdir ${{ inputs.dist }}
+          mv "target/${{ matrix.target }}/release/anchor$ext" ${{ inputs.dist }}/anchor-$version-${{ matrix.target }}$ext
+
+          echo "version=$version" >> $GITHUB_OUTPUT
+
+      - name: Attest build provenance
+        # `id-token: write` is not granted for PRs from forks
+        if: ${{ github.event.pull_request.head.repo.fork != true }}
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-path: ${{ inputs.dist }}/anchor-${{ steps.prepare.outputs.version }}-${{ matrix.target }}*
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: anchor-${{ steps.prepare.outputs.version }}-${{ matrix.target }}
+          path: ${{ inputs.dist }}
+          overwrite: true
+          retention-days: 1

.github/workflows/prepare-release.yaml

@@ -0,0 +1,142 @@
+name: Prepare Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to bump to without the v[...] prefix (e.g. 1.0.0-rc.5)"
+        required: true
+        type: string
+      create_ts_docs_pr:
+        description: "Create a PR to publish TS docs for this version"
+        required: true
+        default: true
+        type: boolean
+
+permissions:
+  contents: write
+
+jobs:
+  prepare-release-bump:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Force fetch upstream tags
+        run: git fetch --tags --force
+
+      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
+        with:
+          toolchain: stable
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Enable corepack (yarn)
+        run: corepack enable
+
+      - uses: ./.github/actions/setup-solana/
+        env:
+          SOLANA_VERSION: "2.3.0"
+
+      - name: Install cargo-release
+        run: cargo install cargo-release --version 1.1.1 --locked
+
+      - name: Bump version
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -xeou pipefail
+
+          ./setup-tests.sh
+          ./bump-version.sh "$VERSION"
+
+      # I would love to automatically create a PR here, but GitHub does not allow triggering CI jobs
+      # on automatically created PRs to prevent recursion
+      - name: Create release bump branch
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -xeou pipefail
+
+          BRANCH="release-bump/$VERSION"
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git checkout -b "$BRANCH"
+          git add -A
+          git commit -m "v$VERSION"
+          git push --set-upstream origin "$BRANCH"
+
+  # I would love to automatically push this to the branch, but again, GitHub does not
+  # allow for this.
+  prepare-ts-docs:
+    runs-on: ubuntu-latest
+    needs: prepare-release-bump
+    if: ${{ inputs.create_ts_docs_pr }}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Force fetch upstream tags
+        run: git fetch --tags --force
+
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Enable corepack (yarn)
+        run: corepack enable
+
+      - name: Generate TS docs
+        run: |
+          set -xeou pipefail
+
+          cd ts/packages/borsh && yarn --frozen-lockfile && yarn build && yarn link --force && cd ../../../
+          cd ts/packages/anchor-errors && yarn --frozen-lockfile && yarn build && yarn link --force && cd ../../../
+          cd ts/packages/anchor && yarn --frozen-lockfile && yarn build:node && yarn link && cd ../../../
+
+          cd ts/packages/anchor/
+          yarn docs
+
+      - name: Create TS docs PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -xeuo pipefail
+
+          DOCS_DIST="docs/src/.vuepress/dist"
+          DOCS_TMP="$RUNNER_TEMP/ts-docs"
+          BRANCH="ts-docs/$VERSION"
+
+          test -d "$DOCS_DIST"
+          mkdir -p "$DOCS_TMP"
+          cp -a "$DOCS_DIST"/. "$DOCS_TMP"/
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git switch -c "$BRANCH" origin/gh-pages
+
+          find . -mindepth 1 -maxdepth 1 ! -name .git -exec rm -rf {} +
+          cp -a "$DOCS_TMP"/. .
+
+          git add -A
+          if git diff --cached --quiet; then
+            echo "No TS docs changes to publish."
+          else
+            git commit -m "v$VERSION"
+            git push --set-upstream origin "$BRANCH"
+          fi