feat: support args.receiverAddress override + allow zero ERC-20 appro… #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| # SECURITY: Limit permissions at workflow level | |
| permissions: | |
| contents: read | |
| jobs: | |
| # ========================================== | |
| # Job 1: Security Audit (gates all other jobs) | |
| # ========================================== | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| fetch-depth: 0 | |
| - name: Verify tag is on main | |
| shell: bash | |
| run: | | |
| git fetch origin main | |
| if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then | |
| echo "::error::Tagged commit is not on main branch — aborting release" | |
| exit 1 | |
| fi | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 | |
| with: | |
| node-version: "22" | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 | |
| with: | |
| version: 10.12.2 | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Security audit | |
| run: pnpm audit --audit-level=critical | |
| # ========================================== | |
| # Job 2: Publish to NPM | |
| # ========================================== | |
| publish: | |
| name: Publish to NPM | |
| needs: security-audit | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| fetch-depth: 0 | |
| - name: Verify tag is on main | |
| shell: bash | |
| run: | | |
| git fetch origin main | |
| if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then | |
| echo "::error::Tagged commit is not on main branch — aborting publish" | |
| exit 1 | |
| fi | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 | |
| with: | |
| node-version: "22" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 | |
| with: | |
| version: 10.12.2 | |
| # npm 11.5.1 or later is required for trusted publishing | |
| - name: Update npm | |
| run: npm install -g npm@latest | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run tests | |
| run: pnpm test | |
| - name: Build package | |
| run: pnpm run build | |
| - name: Publish to NPM | |
| run: pnpm publish --access public --no-git-checks | |
| # ========================================== | |
| # Job 3: Build binaries for all platforms | |
| # ========================================== | |
| build-binaries: | |
| name: Build Binary (${{ matrix.platform }}-${{ matrix.arch }}) | |
| needs: security-audit | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| attestations: write | |
| id-token: write | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| platform: linux | |
| arch: x64 | |
| - os: macos-latest | |
| platform: darwin | |
| arch: arm64 | |
| - os: macos-latest | |
| platform: darwin | |
| arch: x64 | |
| node_arch: x64 | |
| - os: windows-latest | |
| platform: win32 | |
| arch: x64 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| fetch-depth: 0 | |
| - name: Verify tag is on main | |
| shell: bash | |
| run: | | |
| git fetch origin main | |
| if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then | |
| echo "::error::Tagged commit is not on main branch — aborting build" | |
| exit 1 | |
| fi | |
| - name: Setup Node.js | |
| if: ${{ !matrix.node_arch }} | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 | |
| with: | |
| node-version: "22" | |
| - name: Setup Node.js (x64 via Rosetta) | |
| if: ${{ matrix.node_arch }} | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 | |
| with: | |
| node-version: "22" | |
| architecture: ${{ matrix.node_arch }} | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 | |
| with: | |
| version: 10.12.2 | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build TypeScript | |
| run: pnpm build | |
| - name: Bundle CLI for SEA | |
| run: pnpm build:cli:bundle | |
| - name: Prepare SEA blob | |
| run: pnpm build:sea:prepare | |
| - name: Build binary | |
| run: pnpm build:sea | |
| - name: Rename binary (Windows) | |
| if: matrix.platform == 'win32' | |
| shell: bash | |
| run: mv shield.exe shield-windows-${{ matrix.arch }}.exe | |
| - name: Generate checksum (Unix) | |
| if: matrix.platform != 'win32' | |
| run: | | |
| shasum -a 256 shield-${{ matrix.platform }}-${{ matrix.arch }} > shield-${{ matrix.platform }}-${{ matrix.arch }}.sha256 | |
| cat shield-${{ matrix.platform }}-${{ matrix.arch }}.sha256 | |
| - name: Generate checksum (Windows) | |
| if: matrix.platform == 'win32' | |
| shell: pwsh | |
| run: | | |
| $hash = Get-FileHash -Algorithm SHA256 shield-windows-${{ matrix.arch }}.exe | |
| "$($hash.Hash.ToLower()) shield-windows-${{ matrix.arch }}.exe" | Out-File -Encoding utf8 shield-windows-${{ matrix.arch }}.exe.sha256 | |
| Get-Content shield-windows-${{ matrix.arch }}.exe.sha256 | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@e4d4f7c39adfa4c260fb5c147f0622000aa14b99 | |
| with: | |
| subject-path: "shield-*" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f | |
| with: | |
| name: binary-${{ matrix.platform }}-${{ matrix.arch }} | |
| path: | | |
| shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }} | |
| shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }}.sha256 | |
| # ========================================== | |
| # Job 4: Create GitHub Release with all binaries | |
| # ========================================== | |
| create-release: | |
| name: Create GitHub Release | |
| needs: build-binaries | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 | |
| with: | |
| pattern: binary-* | |
| merge-multiple: true | |
| - name: List release files | |
| run: ls -la shield-* | |
| - name: Create Release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b | |
| with: | |
| files: shield-* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |