|
| 1 | +# Contributing |
| 2 | + |
| 3 | +## Development setup |
| 4 | + |
| 5 | +```bash |
| 6 | +git clone git@github.com:zerodevapp/zerodev-wallet-sdk.git |
| 7 | +cd zerodev-wallet-sdk |
| 8 | +pnpm install |
| 9 | +pnpm build |
| 10 | +``` |
| 11 | + |
| 12 | +Common scripts: `pnpm test`, `pnpm lint`, `pnpm typecheck`. PR titles follow |
| 13 | +[Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, |
| 14 | +`chore:`, `refactor:`, `build:`, …). |
| 15 | + |
| 16 | +## Releasing |
| 17 | + |
| 18 | +Releases are automated with [Changesets](https://github.com/changesets/changesets) |
| 19 | +and published to npm from CI. **Nobody runs `npm publish` locally, and there are |
| 20 | +no npm tokens** — CI authenticates to npm via GitHub OIDC ([npm Trusted |
| 21 | +Publishing](https://docs.npmjs.com/trusted-publishers)) and every publish carries |
| 22 | +a signed provenance attestation. |
| 23 | + |
| 24 | +### Publishable packages |
| 25 | + |
| 26 | +| Package | Path | |
| 27 | +|---|---| |
| 28 | +| `@zerodev/wallet-core` | `packages/core` | |
| 29 | +| `@zerodev/wallet-react` | `packages/react` | |
| 30 | +| `@zerodev/react-ui` | `packages/react-ui` | |
| 31 | +| `@zerodev/wallet-react-ui` | `packages/wallet-react-ui` | |
| 32 | + |
| 33 | +`@zerodev/wallet-react-native-kit` is private and ignored by the release tooling. |
| 34 | + |
| 35 | +### The flow — two merges, zero manual publishing |
| 36 | + |
| 37 | +**1. Add a changeset to your PR.** If your change affects a published package: |
| 38 | + |
| 39 | +```bash |
| 40 | +pnpm changeset |
| 41 | +``` |
| 42 | + |
| 43 | +- select the package(s) and the bump type (`patch` / `minor` / `major`) |
| 44 | +- write a one-line summary — it becomes the CHANGELOG entry (prefix `feat:` / |
| 45 | + `fix:` to match existing entries) |
| 46 | +- commit the generated `.changeset/*.md` file **in your PR** |
| 47 | + |
| 48 | +Skip this for changes that don't affect a published package (docs, CI, tests, the |
| 49 | +demo app, or refactors with no output change). No changeset simply means no |
| 50 | +release — that's fine. |
| 51 | + |
| 52 | +> **Bump type:** everything is pre-1.0 (`0.0.x`), so nearly everything is a |
| 53 | +> `patch` today. Use `minor` for notable new API, `major` only after 1.0. |
| 54 | +
|
| 55 | +**2. Merge your PR → a "Version Packages" PR appears.** On merge to `main`, the |
| 56 | +release workflow opens (or updates) a PR titled **"Version Packages"**. It bumps |
| 57 | +versions, rewrites CHANGELOGs, and deletes the consumed changesets. Dependent |
| 58 | +packages are bumped automatically (e.g. bumping `wallet-react` also bumps |
| 59 | +`wallet-react-ui`, which depends on it). |
| 60 | + |
| 61 | +**3. Merge the "Version Packages" PR → publish.** That merge triggers the publish: |
| 62 | +CI builds, then `changeset publish` pushes the changed packages to npm `latest` |
| 63 | +with provenance and creates git tags. |
| 64 | + |
| 65 | +### Requirements for a publishable package |
| 66 | + |
| 67 | +Every publishable package's `package.json` **must** have a `repository` field with |
| 68 | +the monorepo URL and its `directory`: |
| 69 | + |
| 70 | +```json |
| 71 | +"repository": { |
| 72 | + "type": "git", |
| 73 | + "url": "git+https://github.com/zerodevapp/zerodev-wallet-sdk.git", |
| 74 | + "directory": "packages/<name>" |
| 75 | +} |
| 76 | +``` |
| 77 | + |
| 78 | +npm's provenance check **rejects the publish with `E422`** if this is missing or |
| 79 | +empty. The package must also not be marked `"private": true`. When adding a new |
| 80 | +publishable package, set both before its first release. |
| 81 | + |
| 82 | +### PR preview packages |
| 83 | + |
| 84 | +Every PR automatically publishes throwaway preview builds via |
| 85 | +[pkg.pr.new](https://pkg.pr.new) (no npm token — its own CDN). Install one to test |
| 86 | +a branch before it's released: |
| 87 | + |
| 88 | +```bash |
| 89 | +npm i https://pkg.pr.new/@zerodev/wallet-react@<pr-sha> |
| 90 | +``` |
| 91 | + |
| 92 | +The exact install commands are posted as a comment on each PR. |
| 93 | + |
| 94 | +### How auth works (nothing long-lived to leak) |
| 95 | + |
| 96 | +- **Publishing:** npm Trusted Publishing (OIDC). CI proves its identity to npm via |
| 97 | + a short-lived `id-token`; there is no `NPM_TOKEN`. Each package has this repo + |
| 98 | + `release.yml` registered as its Trusted Publisher on npm. |
| 99 | +- **The "Version Packages" PR:** opened by a GitHub App (short-lived installation |
| 100 | + token), so the required CI checks run on it. A PR opened by the default |
| 101 | + `GITHUB_TOKEN` wouldn't trigger workflows and could never satisfy branch |
| 102 | + protection. |
| 103 | +- Third-party GitHub Actions are pinned to commit SHAs and kept current by |
| 104 | + Dependabot. |
| 105 | + |
| 106 | +### Good to know |
| 107 | + |
| 108 | +- The published code is always code that passed CI: the "Version Packages" PR must |
| 109 | + go green before it can merge. The release job itself does not re-run the test |
| 110 | + suite — branch protection on `main` is the gate. |
| 111 | +- `changeset publish` is not atomic. If one package fails to publish (e.g. a |
| 112 | + provenance error) but a dependent already published, fix the cause and merge — |
| 113 | + the next release run publishes any package whose version isn't yet on npm. |
0 commit comments