[CI/CD] Release documentation + automated SDK release actions

[iamalwaysuncomfortable]

Motivation

This PR adds an automated SDK release action and an updated Publish.md for SDK releases.

[iamalwaysuncomfortable]

@14MR I've added this to automate publishing of SDK release actions, can you give it a review to ensure it passes the quality and security bar for operations.

We've ensured to limit to a production github environment with a limited set of possible reviewers.

[Copilot]

Pull request overview

This PR introduces a manual GitHub Actions workflow to automate publishing the SDK packages to npm (including a split-mode build for differing testnet/mainnet SnarkVM versions) and updates PUBLISH.md to document the release process.

Changes:

• Updated PUBLISH.md with standard vs split release build flows, including Git tag + GitHub Release steps.
• Added .github/workflows/publish.yml to build artifacts, run tests, publish npm packages, and create a git tag + GitHub Release (with dry-run support).
• Added split-mode build logic to combine testnet WASM (from testnet branch) with mainnet artifacts.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
PUBLISH.md	Expands release documentation with standard/split flows and release/tag commands.
.github/workflows/publish.yml	Adds a dispatchable publish workflow that builds, tests, publishes to npm, tags, and creates GitHub releases.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Same versioning concern in split mode: the workflow tags/releases based on wasm/package.json only. Add a consistency check across wasm, sdk, and create-leo-app versions (and sdk’s @provablehq/wasm dependency) to avoid publishing mismatched versions under a single tag.

Suggested change

	- name: Read version
	id: version
	run: |
	VERSION=$(node -p "require('./wasm/package.json').version")
	echo "version=$VERSION" >> $GITHUB_OUTPUT
	echo "tag=v$VERSION" >> $GITHUB_OUTPUT
	- name: Read and validate versions
	id: version
	run: |
	node <<'EOF' >> "$GITHUB_OUTPUT"
	const fs = require('fs');
	function readJson(path) {
	return JSON.parse(fs.readFileSync(path, 'utf8'));
	}
	const wasmPkg = readJson('./wasm/package.json');
	const sdkPkg = readJson('./sdk/package.json');
	const claPkg = readJson('./create-leo-app/package.json');
	const wasmVersion = wasmPkg.version;
	const sdkVersion = sdkPkg.version;
	const claVersion = claPkg.version;
	const sdkDeps = Object.assign(
	{},
	sdkPkg.dependencies || {},
	sdkPkg.devDependencies || {}
	);
	let sdkWasmDep = sdkDeps['@provablehq/wasm'];
	function normalize(v) {
	return (v || '').replace(/^[~^]/, '');
	}
	const normWasm = normalize(wasmVersion);
	const normSdk = normalize(sdkVersion);
	const normCla = normalize(claVersion);
	const normSdkDep = normalize(sdkWasmDep);
	let mismatches = [];
	if (!normWasm) {
	mismatches.push('Missing or empty wasm version');
	}
	if (normSdk && normSdk !== normWasm) {
	mismatches.push(`sdk version (${sdkVersion}) != wasm version (${wasmVersion})`);
	}
	if (normCla && normCla !== normWasm) {
	mismatches.push(`create-leo-app version (${claVersion}) != wasm version (${wasmVersion})`);
	}
	if (sdkWasmDep && normSdkDep !== normWasm) {
	mismatches.push(`sdk dependency @provablehq/wasm (${sdkWasmDep}) != wasm version (${wasmVersion})`);
	}
	if (!sdkWasmDep) {
	mismatches.push('sdk is missing @provablehq/wasm dependency');
	}
	if (mismatches.length > 0) {
	console.error('Version mismatch detected in split publish:');
	for (const msg of mismatches) {
	console.error(' - ' + msg);
	}
	process.exit(1);
	}
	console.log(`version=${wasmVersion}`);
	console.log(`tag=v${wasmVersion}`);
	EOF

[Copilot]

In bash, cd ../create-leo-app & npm publish ... runs the cd in the background (in a subshell) so the directory change won’t apply; npm publish will likely run from the wrong directory. Use && to ensure the publish runs in create-leo-app.

[Copilot]

Same issue here: cd ../create-leo-app & npm publish ... backgrounds the cd so npm publish may run from the wrong directory. Use && so the publish runs in create-leo-app.

[Copilot]

In split mode, yarn build:wasm on the mainnet branch generates wasm/dist/testnet (see wasm/build.js which always builds both networks). Downloading the testnet artifact into the same path without deleting it first risks leaving stale/incorrect files from the mainnet build. Remove wasm/dist/testnet before the download (or download to a temp dir and then move/replace).

[Copilot]

The publish workflow only runs yarn test:sdk and does not run WASM tests (yarn test:wasm). CI in .github/workflows/sdk.yml runs both, so releases could ship broken WASM outputs. Consider running yarn test (or at least adding yarn test:wasm) before publishing.

Suggested change

	run: yarn test:sdk
	run: yarn test:sdk && yarn test:wasm

[Copilot]

Same as standard mode: split-mode release tests only run yarn test:sdk and skip yarn test:wasm, even though the workflow builds and publishes the WASM package. Consider running yarn test (or yarn test:wasm) here before publishing.

Suggested change

	- name: Test SDK
	run: yarn test:sdk
	- name: Test SDK and WASM
	run: |
	yarn test:sdk
	yarn test:wasm

[Copilot]

Tagging is derived only from wasm/package.json’s version. If sdk / create-leo-app versions drift (or if sdk’s dependency range doesn’t match), the git tag and GitHub release will not correspond to what was actually published. Consider validating all three package versions match (and that sdk depends on the same version) before publishing/tagging, and fail the workflow if they differ.

[marshacb]

LGTM! Copilot's comments seem valid/worth addressing (especially the stale testnet files in split mode and the & vs && typo). The version consistency check would be a nice safety net too. Nothing blocking but would be good to clean those up before merging.