SDK packages are published manually right now. Devs need local registry tokens, it’s error-prone, and we have no provenance. Docker images already publish automatically with OIDC + attestations. SDKs should match that.
Goal
Releasing version 0.14.x should publish all SDK packages from CI with no human-held tokens and with provenance attestations.
Packages:
- npm:
@openzeppelin/guardian-client, @openzeppelin/guardian-evm-client, @openzeppelin/guardian-operator-client, @openzeppelin/miden-multisig-client
- cargo:
guardian-shared, guardian-client, miden-multisig-client, miden-confidential-contracts
Requirements for both
- Trigger on tag/release or workflow_dispatch. Use environment: release, harden-runner, pinned action SHAs.
- Publish in dependency order
- No long-lived tokens on dev machines
- Idempotent: skip/fail cleanly if version already published
- Update docs/SERVER_AWS_DEPLOY.md + release-guardian-sdk-packages skill
Out of scope
Docker publishing, version bumping/changelogs
SDK packages are published manually right now. Devs need local registry tokens, it’s error-prone, and we have no provenance. Docker images already publish automatically with OIDC + attestations. SDKs should match that.
Goal
Releasing version 0.14.x should publish all SDK packages from CI with no human-held tokens and with provenance attestations.
Packages:
@openzeppelin/guardian-client,@openzeppelin/guardian-evm-client,@openzeppelin/guardian-operator-client,@openzeppelin/miden-multisig-clientguardian-shared,guardian-client,miden-multisig-client,miden-confidential-contractsRequirements for both
Out of scope
Docker publishing, version bumping/changelogs