Skip to content

Commit 87c3713

Browse files
lutterlutter
committed
ci: Add npm publish with trusted publishing to gnd build workflow
Update the gnd binary build workflow with: - Replace deprecated macos-13 runner with macos-14 - Bump GitHub Actions to Node.js 24-compatible versions - Cache gnd binaries to skip builds when source is unchanged - Use --clobber for release asset uploads - Add publish-npm job that publishes per-platform @graphprotocol/gnd-* packages using npm trusted publishing (OIDC, no NPM_TOKEN needed) - Support --tag for prerelease npm publishes - Add dry_run workflow input for testing
1 parent 6a362e6 commit 87c3713

1 file changed

Lines changed: 151 additions & 29 deletions

File tree

.github/workflows/gnd-binary-build.yml

Lines changed: 151 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,11 @@ name: Build gnd Binaries
22

33
on:
44
workflow_dispatch:
5+
inputs:
6+
dry_run:
7+
description: 'Dry-run npm publish (no actual publish)'
8+
type: boolean
9+
default: false
510

611
jobs:
712
build:
@@ -18,7 +23,7 @@ jobs:
1823
runner: ubuntu-22.04
1924
asset_name: gnd-linux-aarch64
2025
- target: x86_64-apple-darwin
21-
runner: macos-13
26+
runner: macos-14
2227
asset_name: gnd-macos-x86_64
2328
- target: aarch64-apple-darwin
2429
runner: macos-latest
@@ -29,21 +34,32 @@ jobs:
2934

3035
steps:
3136
- name: Checkout repository
32-
uses: actions/checkout@v4
37+
uses: actions/checkout@v6
38+
39+
- name: Cache built binary
40+
id: bin-cache
41+
uses: actions/cache@v5
42+
with:
43+
path: |
44+
${{ matrix.asset_name }}.gz
45+
${{ matrix.asset_name }}.zip
46+
key: gnd-${{ matrix.target }}-${{ hashFiles('Cargo.lock', '**/Cargo.toml', '**/*.rs') }}
3347

3448
- name: Install Rust toolchain
49+
if: steps.bin-cache.outputs.cache-hit != 'true'
3550
run: |
3651
rustup toolchain install stable
3752
rustup target add ${{ matrix.target }}
3853
rustup default stable
3954
4055
- name: Rust Cache
56+
if: steps.bin-cache.outputs.cache-hit != 'true'
4157
uses: Swatinem/rust-cache@v2
4258
with:
4359
key: ${{ matrix.target }}
4460

4561
- name: Install dependencies (Ubuntu)
46-
if: startsWith(matrix.runner, 'ubuntu')
62+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'ubuntu')
4763
run: |
4864
sudo apt-get update
4965
sudo apt-get install -y protobuf-compiler musl-tools
@@ -52,27 +68,26 @@ jobs:
5268
fi
5369
5470
- name: Install dependencies (macOS)
55-
if: startsWith(matrix.runner, 'macos')
71+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'macos')
5672
run: |
5773
brew install protobuf
5874
5975
- name: Install protobuf (Windows)
60-
if: startsWith(matrix.runner, 'windows')
76+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'windows')
6177
run: choco install protoc
6278

63-
6479
- name: Build gnd binary (Unix/Mac)
65-
if: ${{ !startsWith(matrix.runner, 'windows') }}
80+
if: steps.bin-cache.outputs.cache-hit != 'true' && !startsWith(matrix.runner, 'windows')
6681
run: cargo build --bin gnd --release --target ${{ matrix.target }}
6782
env:
6883
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
6984

7085
- name: Build gnd binary (Windows)
71-
if: startsWith(matrix.runner, 'windows')
86+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'windows')
7287
run: cargo build --bin gnd --release --target ${{ matrix.target }}
7388

7489
- name: Sign macOS binary
75-
if: startsWith(matrix.runner, 'macos')
90+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'macos')
7691
uses: lando/code-sign-action@v3
7792
with:
7893
file: target/${{ matrix.target }}/release/gnd
@@ -82,7 +97,7 @@ jobs:
8297
options: --options runtime --entitlements entitlements.plist
8398

8499
- name: Notarize macOS binary
85-
if: startsWith(matrix.runner, 'macos')
100+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'macos')
86101
uses: lando/notarize-action@v2
87102
with:
88103
product-path: target/${{ matrix.target }}/release/gnd
@@ -91,20 +106,20 @@ jobs:
91106
appstore-connect-team-id: ${{ secrets.APPLE_TEAM_ID }}
92107

93108
- name: Prepare binary (Unix)
94-
if: ${{ !startsWith(matrix.runner, 'windows') }}
109+
if: steps.bin-cache.outputs.cache-hit != 'true' && !startsWith(matrix.runner, 'windows')
95110
run: |
96111
cp target/${{ matrix.target }}/release/gnd ${{ matrix.asset_name }}
97112
chmod +x ${{ matrix.asset_name }}
98113
gzip ${{ matrix.asset_name }}
99114
100115
- name: Prepare binary (Windows)
101-
if: startsWith(matrix.runner, 'windows')
116+
if: steps.bin-cache.outputs.cache-hit != 'true' && startsWith(matrix.runner, 'windows')
102117
run: |
103118
copy target\${{ matrix.target }}\release\gnd.exe ${{ matrix.asset_name }}
104119
7z a -tzip ${{ matrix.asset_name }}.zip ${{ matrix.asset_name }}
105120
106121
- name: Upload artifact
107-
uses: actions/upload-artifact@v4
122+
uses: actions/upload-artifact@v7
108123
with:
109124
name: ${{ matrix.asset_name }}
110125
path: |
@@ -119,7 +134,7 @@ jobs:
119134
runs-on: ubuntu-latest
120135
steps:
121136
- name: Checkout code
122-
uses: actions/checkout@v4
137+
uses: actions/checkout@v6
123138

124139
- name: Setup GitHub CLI
125140
run: |
@@ -129,7 +144,7 @@ jobs:
129144
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
130145

131146
- name: Download all artifacts
132-
uses: actions/download-artifact@v4
147+
uses: actions/download-artifact@v8
133148
with:
134149
path: artifacts
135150

@@ -142,18 +157,125 @@ jobs:
142157
VERSION=${GITHUB_REF#refs/tags/}
143158
144159
# Upload Linux x86_64 asset
145-
gh release upload $VERSION artifacts/gnd-linux-x86_64/gnd-linux-x86_64.gz --repo $GITHUB_REPOSITORY
146-
147-
# Upload Linux ARM64 asset
148-
gh release upload $VERSION artifacts/gnd-linux-aarch64/gnd-linux-aarch64.gz --repo $GITHUB_REPOSITORY
149-
150-
# Upload macOS x86_64 asset
151-
gh release upload $VERSION artifacts/gnd-macos-x86_64/gnd-macos-x86_64.gz --repo $GITHUB_REPOSITORY
152-
153-
# Upload macOS ARM64 asset
154-
gh release upload $VERSION artifacts/gnd-macos-aarch64/gnd-macos-aarch64.gz --repo $GITHUB_REPOSITORY
155-
156-
# Upload Windows x86_64 asset
157-
gh release upload $VERSION artifacts/gnd-windows-x86_64.exe/gnd-windows-x86_64.exe.zip --repo $GITHUB_REPOSITORY
160+
gh release upload $VERSION --clobber --repo $GITHUB_REPOSITORY \
161+
artifacts/gnd-linux-x86_64/gnd-linux-x86_64.gz \
162+
artifacts/gnd-linux-aarch64/gnd-linux-aarch64.gz \
163+
artifacts/gnd-macos-x86_64/gnd-macos-x86_64.gz \
164+
artifacts/gnd-macos-aarch64/gnd-macos-aarch64.gz \
165+
artifacts/gnd-windows-x86_64.exe/gnd-windows-x86_64.exe.zip
166+
env:
167+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
168+
169+
publish-npm:
170+
name: Publish npm package for ${{ matrix.platform }}
171+
needs: release
172+
if: startsWith(github.ref, 'refs/tags/')
173+
runs-on: ubuntu-latest
174+
permissions:
175+
id-token: write
176+
contents: read
177+
strategy:
178+
fail-fast: false
179+
matrix:
180+
include:
181+
- platform: linux-x64
182+
asset: gnd-linux-x86_64.gz
183+
os_field: linux
184+
cpu_field: x64
185+
extract: gunzip
186+
- platform: linux-arm64
187+
asset: gnd-linux-aarch64.gz
188+
os_field: linux
189+
cpu_field: arm64
190+
extract: gunzip
191+
- platform: darwin-x64
192+
asset: gnd-macos-x86_64.gz
193+
os_field: darwin
194+
cpu_field: x64
195+
extract: gunzip
196+
- platform: darwin-arm64
197+
asset: gnd-macos-aarch64.gz
198+
os_field: darwin
199+
cpu_field: arm64
200+
extract: gunzip
201+
- platform: win32-x64
202+
asset: gnd-windows-x86_64.exe.zip
203+
os_field: win32
204+
cpu_field: x64
205+
extract: unzip
206+
steps:
207+
- uses: actions/setup-node@v6
208+
with:
209+
node-version: 24
210+
211+
- name: Download gnd binary
158212
env:
159-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
213+
GH_TOKEN: ${{ github.token }}
214+
run: |
215+
gh release download "${{ github.ref_name }}" \
216+
--repo "${{ github.repository }}" \
217+
--pattern "${{ matrix.asset }}" \
218+
--output ./binary-archive
219+
220+
- name: Extract binary
221+
run: |
222+
mkdir -p pkg/bin
223+
if [ "${{ matrix.extract }}" = "gunzip" ]; then
224+
gunzip -c ./binary-archive > pkg/bin/gnd
225+
chmod +x pkg/bin/gnd
226+
else
227+
unzip ./binary-archive -d pkg/bin
228+
mv pkg/bin/*.exe pkg/bin/gnd.exe
229+
fi
230+
231+
- name: Determine version and npm tag
232+
id: version
233+
shell: bash
234+
run: |
235+
VERSION="${{ github.ref_name }}"
236+
VERSION="${VERSION#v}"
237+
echo "version=${VERSION}" >> $GITHUB_OUTPUT
238+
# Prerelease versions (e.g. 0.42.2-dev.1) need an explicit --tag
239+
if [[ "$VERSION" == *-* ]]; then
240+
# Extract prerelease identifier (e.g. "dev" from "0.42.2-dev.1")
241+
PRE="${VERSION#*-}"
242+
TAG="${PRE%%.*}"
243+
echo "tag=${TAG}" >> $GITHUB_OUTPUT
244+
else
245+
echo "tag=latest" >> $GITHUB_OUTPUT
246+
fi
247+
248+
- name: Create package.json
249+
shell: bash
250+
run: |
251+
if [ "${{ matrix.os_field }}" = "win32" ]; then
252+
BIN_PATH="./bin/gnd.exe"
253+
else
254+
BIN_PATH="./bin/gnd"
255+
fi
256+
257+
cat > pkg/package.json << EOF
258+
{
259+
"name": "@graphprotocol/gnd-${{ matrix.platform }}",
260+
"version": "${{ steps.version.outputs.version }}",
261+
"description": "gnd binary for ${{ matrix.platform }}",
262+
"os": ["${{ matrix.os_field }}"],
263+
"cpu": ["${{ matrix.cpu_field }}"],
264+
"bin": {
265+
"gnd": "${BIN_PATH}"
266+
},
267+
"publishConfig": {
268+
"access": "public",
269+
"provenance": true
270+
},
271+
"license": "(Apache-2.0 OR MIT)",
272+
"repository": {
273+
"type": "git",
274+
"url": "https://github.com/graphprotocol/graph-node.git"
275+
}
276+
}
277+
EOF
278+
279+
- name: Publish
280+
run: npm publish --provenance --access public --tag ${{ steps.version.outputs.tag }} ${{ inputs.dry_run && '--dry-run' || '' }}
281+
working-directory: pkg

0 commit comments

Comments
 (0)