Skip to content

Commit f84b576

Browse files
authored
Merge branch 'main' into omar/remove-wallet-react-ui-docs
2 parents a3df342 + fd59eee commit f84b576

16 files changed

Lines changed: 320 additions & 71 deletions

File tree

.github/dependabot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
version: 2
2+
updates:
3+
# Keep SHA-pinned GitHub Actions current. Dependabot bumps the pinned commit
4+
# and updates the trailing `# vX.Y.Z` comment. Grouped into a single weekly PR.
5+
- package-ecosystem: github-actions
6+
directory: /
7+
schedule:
8+
interval: weekly
9+
groups:
10+
github-actions:
11+
patterns: ["*"]

.github/workflows/ci.yml

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,13 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- name: Checkout
15-
uses: actions/checkout@v4
15+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1616

1717
- name: Setup pnpm
18-
uses: pnpm/action-setup@v4
18+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
1919

2020
- name: Setup Node.js
21-
uses: actions/setup-node@v4
21+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2222
with:
2323
node-version: 20
2424
cache: pnpm
@@ -34,13 +34,13 @@ jobs:
3434
runs-on: ubuntu-latest
3535
steps:
3636
- name: Checkout
37-
uses: actions/checkout@v4
37+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3838

3939
- name: Setup pnpm
40-
uses: pnpm/action-setup@v4
40+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
4141

4242
- name: Setup Node.js
43-
uses: actions/setup-node@v4
43+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
4444
with:
4545
node-version: 20
4646
cache: pnpm
@@ -59,13 +59,13 @@ jobs:
5959
runs-on: ubuntu-latest
6060
steps:
6161
- name: Checkout
62-
uses: actions/checkout@v4
62+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6363

6464
- name: Setup pnpm
65-
uses: pnpm/action-setup@v4
65+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
6666

6767
- name: Setup Node.js
68-
uses: actions/setup-node@v4
68+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
6969
with:
7070
node-version: 20
7171
cache: pnpm
@@ -81,13 +81,13 @@ jobs:
8181
runs-on: ubuntu-latest
8282
steps:
8383
- name: Checkout
84-
uses: actions/checkout@v4
84+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
8585

8686
- name: Setup pnpm
87-
uses: pnpm/action-setup@v4
87+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
8888

8989
- name: Setup Node.js
90-
uses: actions/setup-node@v4
90+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
9191
with:
9292
node-version: 20
9393
cache: pnpm
@@ -105,13 +105,13 @@ jobs:
105105
needs: [build]
106106
steps:
107107
- name: Checkout
108-
uses: actions/checkout@v4
108+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
109109

110110
- name: Setup pnpm
111-
uses: pnpm/action-setup@v4
111+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
112112

113113
- name: Setup Node.js
114-
uses: actions/setup-node@v4
114+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
115115
with:
116116
node-version: 20
117117
cache: pnpm
@@ -131,13 +131,13 @@ jobs:
131131
needs: [build]
132132
steps:
133133
- name: Checkout
134-
uses: actions/checkout@v4
134+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
135135

136136
- name: Setup pnpm
137-
uses: pnpm/action-setup@v4
137+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
138138

139139
- name: Setup Node.js
140-
uses: actions/setup-node@v4
140+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
141141
with:
142142
node-version: 20
143143
cache: pnpm
@@ -182,7 +182,7 @@ jobs:
182182
DEMO_APP_URL: http://localhost:3000
183183

184184
- name: Upload Playwright report
185-
uses: actions/upload-artifact@v4
185+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
186186
if: always()
187187
with:
188188
name: playwright-report

.github/workflows/preview.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
name: Preview
2+
3+
# Publishes throwaway preview packages for each PR via pkg.pr.new, installable
4+
# from its CDN (e.g. `npm i https://pkg.pr.new/@zerodev/wallet-react@<sha>`).
5+
#
6+
# SECURITY (public repo): uses `pull_request` — NOT `pull_request_target` — and
7+
# NO secrets. Fork PRs run with a read-only token and cannot access anything
8+
# sensitive. pkg.pr.new publishes to its own CDN (never npm) using the Actions
9+
# OIDC identity; its GitHub App posts the PR comment. No NPM_TOKEN is involved.
10+
11+
on:
12+
pull_request:
13+
branches: [main]
14+
15+
permissions:
16+
contents: read
17+
18+
concurrency:
19+
group: preview-${{ github.event.pull_request.number }}
20+
cancel-in-progress: true
21+
22+
jobs:
23+
preview:
24+
name: Publish preview packages
25+
runs-on: ubuntu-latest
26+
# Previews are advisory — a hiccup (or the pkg.pr.new app not yet installed)
27+
# must never block a PR from merging.
28+
continue-on-error: true
29+
steps:
30+
- name: Checkout
31+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
32+
33+
- name: Setup pnpm
34+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
35+
36+
- name: Setup Node.js
37+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
38+
with:
39+
node-version: 20
40+
cache: pnpm
41+
42+
- name: Install dependencies
43+
run: pnpm install --frozen-lockfile
44+
45+
- name: Build packages
46+
run: pnpm build
47+
48+
# Only the four publishable packages (skips react-kit / native-kit / apps).
49+
- name: Publish previews
50+
run: >
51+
pnpm dlx pkg-pr-new publish --pnpm
52+
'./packages/core'
53+
'./packages/react'
54+
'./packages/react-ui'
55+
'./packages/wallet-react-ui'

.github/workflows/release.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: Release
2+
3+
# Changesets-driven release. On every push to `main`:
4+
# - if there are pending changesets → opens/updates the "Version Packages" PR
5+
# (bumps versions, writes CHANGELOGs, deletes changesets)
6+
# - once that PR is merged (versions bumped, no changesets left) → publishes the
7+
# changed packages to npm `latest`, tags them, and cuts GitHub Releases.
8+
#
9+
# SECURITY: runs only on push to `main` (trusted, post-merge code). Publishing
10+
# uses npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN and no 2FA bypass;
11+
# npm verifies this repo + workflow via GitHub's id-token. Each published package
12+
# must have this repo + `release.yml` configured as a Trusted Publisher on npm.
13+
14+
on:
15+
push:
16+
branches: [main]
17+
18+
concurrency: ${{ github.workflow }}-${{ github.ref }}
19+
20+
permissions:
21+
contents: write # push the Version Packages PR branch + git tags
22+
pull-requests: write # open/update the Version Packages PR
23+
id-token: write # OIDC for npm Trusted Publishing (+ provenance)
24+
25+
jobs:
26+
release:
27+
name: Release
28+
runs-on: ubuntu-latest
29+
steps:
30+
# Mint a short-lived token from the org-owned GitHub App so the "Version
31+
# Packages" PR is opened by the App — that makes the required CI checks run
32+
# on it (a default-GITHUB_TOKEN PR wouldn't trigger workflows). No user PAT.
33+
- name: Generate GitHub App token
34+
id: app-token
35+
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
36+
with:
37+
app-id: ${{ secrets.RELEASE_APP_ID }}
38+
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
39+
40+
- name: Checkout
41+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
42+
with:
43+
fetch-depth: 0
44+
token: ${{ steps.app-token.outputs.token }}
45+
46+
- name: Setup pnpm
47+
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
48+
49+
- name: Setup Node.js
50+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
51+
with:
52+
node-version: 20
53+
cache: pnpm
54+
registry-url: https://registry.npmjs.org/
55+
56+
- name: Install dependencies
57+
run: pnpm install --frozen-lockfile
58+
59+
# npm Trusted Publishing (OIDC) needs npm >= 11.5.1; node 20 ships npm 10.
60+
- name: Upgrade npm for OIDC publishing
61+
run: npm install -g npm@latest
62+
63+
- name: Create Version PR or publish
64+
uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1.9.0
65+
with:
66+
version: pnpm changeset:version
67+
publish: pnpm changeset:release:ci
68+
env:
69+
# App token → the Version PR is opened by the App, so the required CI
70+
# checks run on it and it can push past branch protection.
71+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
72+
# No NPM_TOKEN: publish auth is npm Trusted Publishing via `id-token`.

.github/workflows/release.yml.disabled

Lines changed: 0 additions & 47 deletions
This file was deleted.

.github/workflows/sbom-export.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout Source Code
17-
uses: actions/checkout@v6
17+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1818

1919
- name: Check for recent changes
2020
id: check

0 commit comments

Comments
 (0)