merge: resolve spdx-check.yml conflict (keep CI_RUNNER override + checkout@v5)

Merge origin/master into merge/cloud-into-mainline to clear the PR conflict.
Only conflict was .github/workflows/spdx-check.yml: kept the branch's
vars.CI_RUNNER runner override and adopted master's actions/checkout@v5 bump.
master's emit_runtime_event hardening (EMIT_LOCK) auto-merged cleanly with the
cloud TPM PCR-extend path; the lock now covers both TDX and TPM extension.

Author: kvinwang

.github/workflows/docker-build-check.yml

@@ -18,7 +18,7 @@ jobs:
   gateway:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -62,7 +62,9 @@ jobs:
   kms:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          submodules: recursive
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -103,16 +105,18 @@ jobs:
           build/shared/verify-pinned-packages.sh kms-builder-check:latest \
             kms/dstack-app/builder/shared/builder-pinned-packages.txt
 
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
       - name: Build KMS contracts
         run: |
           cd kms/auth-eth
-          npm ci
-          npx hardhat compile
+          forge build
 
   verifier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/foundry-test.yml

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: KMS Auth-ETH Foundry Tests
+
+on:
+  push:
+    paths:
+      - 'kms/auth-eth/**'
+      - '.github/workflows/foundry-test.yml'
+  pull_request:
+    paths:
+      - 'kms/auth-eth/**'
+      - '.github/workflows/foundry-test.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FOUNDRY_PROFILE: ci
+
+jobs:
+  check:
+    name: Foundry project
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: kms/auth-eth
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Show Forge version
+        run: |
+          forge --version
+
+      - name: Run Forge fmt
+        run: |
+          forge fmt --check
+        id: fmt
+
+      - name: Run Forge build
+        run: |
+          forge build --sizes
+        id: build
+
+      - name: Run Forge tests
+        run: |
+          forge test --ffi -vvv
+        id: test

.github/workflows/gateway-release.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Parse version from tag
         run: |
@@ -68,7 +68,7 @@ jobs:
           push-to-registry: true
 
       - name: GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           name: "Gateway Release v${{ env.VERSION }}"
           body: |

.github/workflows/js-sdk-release.yml

@@ -0,0 +1,119 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish JS SDK to npm
+on:
+  push:
+    tags: ['js-sdk-v*']
+  workflow_dispatch:
+    inputs:
+      npm_tag:
+        description: 'npm dist-tag (latest, beta, canary)'
+        required: true
+        default: 'latest'
+        type: choice
+        options:
+          - latest
+          - beta
+          - canary
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Upgrade npm for trusted publishers support
+        run: |
+          npm install -g npm@latest
+          echo "npm: $(npm --version)"
+
+      - name: Verify OIDC token availability
+        run: |
+          if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ] && [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ]; then
+            echo "OIDC token available"
+          else
+            echo "OIDC token NOT available"
+            echo "Check workflow permissions include 'id-token: write'"
+            exit 1
+          fi
+
+      - name: Verify repository configuration
+        working-directory: sdk/js
+        run: |
+          echo "Checking repository consistency..."
+          GIT_REPO=$(git remote get-url origin | sed 's/.*github.com[/:]//; s/.git$//')
+          PKG_REPO=$(node -e "console.log(require('./package.json').repository?.url || '')" | sed 's|https://github.com/||; s|git+||; s|.git$||')
+          echo "Git remote:   $GIT_REPO"
+          echo "package.json: $PKG_REPO"
+          if [ "$GIT_REPO" != "$PKG_REPO" ]; then
+            echo "Repository mismatch!"
+            echo "This will cause 422 error during publish"
+            exit 1
+          fi
+          echo "Repositories match"
+
+      - name: Install dependencies
+        working-directory: sdk/js
+        run: npm install
+
+      - name: Build
+        working-directory: sdk/js
+        run: npm run build
+
+      - name: Determine version and npm dist-tag
+        id: tag
+        working-directory: sdk/js
+        run: |
+          PKG_VERSION=$(node -e "console.log(require('./package.json').version)")
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$PKG_VERSION"
+            echo "tag=${{ github.event.inputs.npm_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            TAG_VERSION="${GITHUB_REF_NAME#js-sdk-v}"
+            if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+              echo "::error::tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
+              exit 1
+            fi
+            VERSION="$TAG_VERSION"
+            # auto-detect from git tag: js-sdk-v0.5.8-beta.1 -> beta
+            if echo "$VERSION" | grep -qiE '(beta|alpha|rc|preview)'; then
+              echo "tag=beta" >> "$GITHUB_OUTPUT"
+            else
+              echo "tag=latest" >> "$GITHUB_OUTPUT"
+            fi
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Publish to npm
+        working-directory: sdk/js
+        run: |
+          NPM_TAG="${{ steps.tag.outputs.tag }}"
+          echo "Publishing with dist-tag: $NPM_TAG"
+          npm publish --access public --provenance --tag "$NPM_TAG"
+
+      - name: GitHub Release
+        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@v2
+        with:
+          name: "JS SDK v${{ steps.tag.outputs.version }}"
+          body: |
+            ## npm Package
+
+            **Package**: `@phala/dstack-sdk@${{ steps.tag.outputs.version }}`
+
+            **Install**: `npm install @phala/dstack-sdk@${{ steps.tag.outputs.version }}`
+
+            **Dist-tag**: `${{ steps.tag.outputs.tag }}`
+
+            **Registry**: https://www.npmjs.com/package/@phala/dstack-sdk/v/${{ steps.tag.outputs.version }}

.github/workflows/kms-release.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Parse version from tag
         run: |
@@ -68,26 +68,22 @@ jobs:
           subject-digest: ${{ steps.build-and-push.outputs.digest }}
           push-to-registry: true
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '18'
-          cache: 'npm'
-          cache-dependency-path: kms/auth-eth/package-lock.json
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
 
-      - name: Install dependencies and compile contracts
+      - name: Compile contracts with Foundry
         run: |
           cd kms/auth-eth
-          npm ci
-          npx hardhat compile
+          forge install
+          forge build
 
       - name: GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           name: "KMS Release v${{ env.VERSION }}"
           files: |
-            kms/auth-eth/artifacts/contracts/DstackKms.sol/DstackKms.json
-            kms/auth-eth/artifacts/contracts/DstackApp.sol/DstackApp.json
+            kms/auth-eth/out/DstackKms.sol/DstackKms.json
+            kms/auth-eth/out/DstackApp.sol/DstackApp.json
           body: |
             ## Docker Image Information
 

.github/workflows/prek-check.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
 

.github/workflows/python-sdk-release.yml

@@ -0,0 +1,92 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish Python SDK to PyPI
+on:
+  push:
+    tags: ['python-sdk-v*']
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Publish target'
+        required: true
+        default: 'pypi'
+        type: choice
+        options:
+          - pypi
+          - testpypi
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install PDM
+        run: pip install pdm
+
+      - name: Build distribution
+        working-directory: sdk/python
+        run: pdm build
+
+      - name: Parse and verify version
+        id: version
+        working-directory: sdk/python
+        run: |
+          PKG_VERSION=$(python -c "
+          import re
+          with open('pyproject.toml') as f:
+              m = re.search(r'^version\s*=\s*\"([^\"]+)\"', f.read(), re.M)
+              print(m.group(1) if m else '')
+          ")
+          if [ -z "$PKG_VERSION" ]; then
+            echo "::error::failed to parse version from pyproject.toml"
+            exit 1
+          fi
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="$PKG_VERSION"
+          else
+            TAG_VERSION="${GITHUB_REF_NAME#python-sdk-v}"
+            if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+              echo "::error::tag version ($TAG_VERSION) does not match pyproject.toml version ($PKG_VERSION)"
+              exit 1
+            fi
+            VERSION="$TAG_VERSION"
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Publish to PyPI
+        if: github.event_name == 'push' || github.event.inputs.target == 'pypi'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: sdk/python/dist
+
+      - name: Publish to TestPyPI
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'testpypi'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: sdk/python/dist
+
+      - name: GitHub Release
+        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@v2
+        with:
+          name: "Python SDK v${{ steps.version.outputs.version }}"
+          body: |
+            ## PyPI Package
+
+            **Package**: `dstack-sdk ${{ steps.version.outputs.version }}`
+
+            **Install**: `pip install dstack-sdk==${{ steps.version.outputs.version }}`
+
+            **Registry**: https://pypi.org/project/dstack-sdk/${{ steps.version.outputs.version }}/

.github/workflows/rust.yml

@@ -17,7 +17,7 @@ jobs:
   rust-checks:
     runs-on: ${{ vars.CI_RUNNER || 'ubuntu-latest' }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
 
     - name: Install Rust
       uses: dtolnay/rust-toolchain@1.86