Merge pull request #686 from Dstack-TEE/feat/sdk-release-workflows

Leechael · web-flow · commit 5c37b2574069 · 2026-06-01T17:57:41.000+08:00
feat(ci): add trusted publisher release workflows for JS and Python SDKs
diff --git a/.github/workflows/js-sdk-release.yml b/.github/workflows/js-sdk-release.yml
@@ -0,0 +1,114 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish JS SDK to npm
+on:
+  push:
+    tags: ['js-sdk-v*']
+  workflow_dispatch:
+    inputs:
+      npm_tag:
+        description: 'npm dist-tag (latest, beta, canary)'
+        required: true
+        default: 'latest'
+        type: choice
+        options:
+          - latest
+          - beta
+          - canary
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Verify OIDC token availability
+        run: |
+          if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ] && [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ]; then
+            echo "OIDC token available"
+          else
+            echo "OIDC token NOT available"
+            echo "Check workflow permissions include 'id-token: write'"
+            exit 1
+          fi
+
+      - name: Verify repository configuration
+        working-directory: sdk/js
+        run: |
+          echo "Checking repository consistency..."
+          GIT_REPO=$(git remote get-url origin | sed 's/.*github.com[/:]//; s/.git$//')
+          PKG_REPO=$(node -e "console.log(require('./package.json').repository?.url || '')" | sed 's|https://github.com/||; s|git+||; s|.git$||')
+          echo "Git remote:   $GIT_REPO"
+          echo "package.json: $PKG_REPO"
+          if [ "$GIT_REPO" != "$PKG_REPO" ]; then
+            echo "Repository mismatch!"
+            echo "This will cause 422 error during publish"
+            exit 1
+          fi
+          echo "Repositories match"
+
+      - name: Install dependencies
+        working-directory: sdk/js
+        run: npm install
+
+      - name: Build
+        working-directory: sdk/js
+        run: npm run build
+
+      - name: Determine version and npm dist-tag
+        id: tag
+        working-directory: sdk/js
+        run: |
+          PKG_VERSION=$(node -e "console.log(require('./package.json').version)")
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$PKG_VERSION"
+            echo "tag=${{ github.event.inputs.npm_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            TAG_VERSION="${GITHUB_REF_NAME#js-sdk-v}"
+            if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+              echo "::error::tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
+              exit 1
+            fi
+            VERSION="$TAG_VERSION"
+            # auto-detect from git tag: js-sdk-v0.5.8-beta.1 -> beta
+            if echo "$VERSION" | grep -qiE '(beta|alpha|rc|preview)'; then
+              echo "tag=beta" >> "$GITHUB_OUTPUT"
+            else
+              echo "tag=latest" >> "$GITHUB_OUTPUT"
+            fi
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Publish to npm
+        working-directory: sdk/js
+        run: |
+          NPM_TAG="${{ steps.tag.outputs.tag }}"
+          echo "Publishing with dist-tag: $NPM_TAG"
+          npm publish --access public --provenance --tag "$NPM_TAG"
+
+      - name: GitHub Release
+        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "JS SDK v${{ steps.tag.outputs.version }}"
+          body: |
+            ## npm Package
+
+            **Package**: `@phala/dstack-sdk@${{ steps.tag.outputs.version }}`
+
+            **Install**: `npm install @phala/dstack-sdk@${{ steps.tag.outputs.version }}`
+
+            **Dist-tag**: `${{ steps.tag.outputs.tag }}`
+
+            **Registry**: https://www.npmjs.com/package/@phala/dstack-sdk/v/${{ steps.tag.outputs.version }}
diff --git a/.github/workflows/python-sdk-release.yml b/.github/workflows/python-sdk-release.yml
@@ -0,0 +1,92 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish Python SDK to PyPI
+on:
+  push:
+    tags: ['python-sdk-v*']
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Publish target'
+        required: true
+        default: 'pypi'
+        type: choice
+        options:
+          - pypi
+          - testpypi
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install PDM
+        run: pip install pdm
+
+      - name: Build distribution
+        working-directory: sdk/python
+        run: pdm build
+
+      - name: Parse and verify version
+        id: version
+        working-directory: sdk/python
+        run: |
+          PKG_VERSION=$(python -c "
+          import re
+          with open('pyproject.toml') as f:
+              m = re.search(r'^version\s*=\s*\"([^\"]+)\"', f.read(), re.M)
+              print(m.group(1) if m else '')
+          ")
+          if [ -z "$PKG_VERSION" ]; then
+            echo "::error::failed to parse version from pyproject.toml"
+            exit 1
+          fi
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$PKG_VERSION"
+          else
+            TAG_VERSION="${GITHUB_REF_NAME#python-sdk-v}"
+            if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+              echo "::error::tag version ($TAG_VERSION) does not match pyproject.toml version ($PKG_VERSION)"
+              exit 1
+            fi
+            VERSION="$TAG_VERSION"
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Publish to PyPI
+        if: github.event_name == 'push' || github.event.inputs.target == 'pypi'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: sdk/python/dist
+
+      - name: Publish to TestPyPI
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'testpypi'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: sdk/python/dist
+
+      - name: GitHub Release
+        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Python SDK v${{ steps.version.outputs.version }}"
+          body: |
+            ## PyPI Package
+
+            **Package**: `dstack-sdk ${{ steps.version.outputs.version }}`
+
+            **Install**: `pip install dstack-sdk==${{ steps.version.outputs.version }}`
+
+            **Registry**: https://pypi.org/project/dstack-sdk/${{ steps.version.outputs.version }}/
diff --git a/sdk/js/.gitignore b/sdk/js/.gitignore
@@ -2,3 +2,5 @@ node_modules/
 dist/
 *.log
 package-lock.json
+.claude/settings.local.json
+.claude/settings.local.json.license
diff --git a/sdk/js/package.json b/sdk/js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@phala/dstack-sdk",
-  "version": "0.5.7",
+  "version": "0.5.8-beta.0",
   "description": "dstack SDK",
   "main": "dist/node/index.js",
   "types": "dist/node/index.d.ts",
@@ -92,14 +92,19 @@
     "dstack",
     "Phala"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Dstack-TEE/dstack",
+    "directory": "sdk/js"
+  },
   "author": "Leechael Yim",
   "license": "Apache-2.0",
   "dependencies": {
     "crypto-browserify": "^3.12.0"
   },
   "devDependencies": {
     "@types/node": "latest",
-    "typescript": "latest",
+    "typescript": "^5.7.0",
     "vitest": "^3.2.4"
   },
   "optionalDependencies": {
diff --git a/sdk/js/src/encrypt-env-vars.ts b/sdk/js/src/encrypt-env-vars.ts
@@ -40,7 +40,7 @@ export async function encryptEnvVars(envs: EnvVar[], publicKeyHex: string) {
   // Import shared key for AES-GCM
   const importedShared = await crypto.subtle.importKey(
     "raw",
-    shared,
+    new Uint8Array(shared),
     { name: "AES-GCM", length: 256 },
     true,
     ["encrypt"],
@@ -64,4 +64,4 @@ export async function encryptEnvVars(envs: EnvVar[], publicKeyHex: string) {
   result.set(new Uint8Array(encrypted), publicKey.length + iv.length);
 
   return uint8ArrayToHex(result);
-}
+}
diff --git a/sdk/js/tsconfig.browser.json b/sdk/js/tsconfig.browser.json
@@ -1,18 +1,18 @@
 {
   "extends": "./tsconfig.json",
   "compilerOptions": {
-    "target": "es2018",
+    "target": "es2020",
     "module": "es2015",
-    "lib": ["es2018", "dom"],
+    "lib": ["es2020", "dom"],
     "outDir": "./dist/browser",
     "declaration": true,
     "declarationMap": true,
     "sourceMap": true
   },
   "include": [
     "src/encrypt-env-vars.browser.ts",
-    "src/get-compose-hash.browser.ts", 
+    "src/get-compose-hash.browser.ts",
     "src/verify-env-encrypt-public-key.browser.ts"
   ],
   "exclude": ["node_modules", "**/*.test.ts"]
-}
+}
diff --git a/sdk/js/tsconfig.json b/sdk/js/tsconfig.json
@@ -1,8 +1,8 @@
 {
   "compilerOptions": {
-    "target": "es2018",
+    "target": "es2020",
     "module": "commonjs",
-    "lib": ["es2018"],
+    "lib": ["es2020"],
     "declaration": true,
     "declarationMap": true,
     "sourceMap": true,
diff --git a/sdk/js/tsconfig.node.json b/sdk/js/tsconfig.node.json
@@ -1,14 +1,14 @@
 {
   "extends": "./tsconfig.json",
   "compilerOptions": {
-    "target": "es2018",
+    "target": "es2020",
     "module": "commonjs",
-    "lib": ["es2018"],
+    "lib": ["es2020"],
     "outDir": "./dist/node",
     "declaration": true,
     "declarationMap": true,
     "sourceMap": true
   },
   "include": ["src/**/*"],
   "exclude": ["node_modules", "**/*.test.ts", "src/*.browser.ts"]
-}
+}
diff --git a/sdk/python/pyproject.toml b/sdk/python/pyproject.toml
@@ -4,7 +4,7 @@
 
 [project]
 name = "dstack-sdk"
-version = "0.5.3"
+version = "0.5.4b0"
 description = "dstack SDK for Python"
 authors = [
     {name = "Leechael Yim", email = "yanleech@gmail.com"},
@@ -103,7 +103,7 @@ repository = "pypi"
 fmt = {composite = ["ruff format src/ tests/", "ruff check --fix src/ tests/"]}
 format = {composite = ["ruff format src/ tests/", "ruff check --fix src/ tests/"]}
 
-# Linting scripts  
+# Linting scripts
 lint = {composite = ["ruff check src/ tests/", "mypy src/"]}
 check = {composite = ["ruff check src/ tests/", "ruff format --check src/ tests/", "mypy src/"]}
 
@@ -134,4 +134,4 @@ solana = [
 ]
 ethereum = [
     "web3",
-]
+]
