Added npm publish workflow for both sdks

[DeveloperAmrit]

Fixes #42

Pre-requisites

• Ensure the NPM_TOKEN secret is configured in the repository settings.

Summary
This PR introduces a GitHub Actions workflow to automate the publishing of the djed-sdk and stablepay-sdk packages to the NPM registry. The workflow ensures that only updated versions of the packages are published, improving the release process's efficiency and reliability.

Key features

1. Trigger condition

• The workflow runs on push events to the main or master branches.
• It monitors changes to djed-sdk/package.json and stablepay-sdk/pacakage.json

2. Version check

• Compares the local version in package.json with the published version on NPM.
• Publishes the package only if the version has changed.

3. Retry mechanisms

• Handles network issues during version checks, dependency installation, and publishing with retry loops.

4. Build and publish

• Installs dependencies using npm ci.
• Builds the package using npm run build.
• Publishes the package to NPM using the NODE_AUTH_TOKEN secret.

Workflow details

1. Jobs

• publish-djed-sdk: Handles the djed-sdk package
• publish-stablepay-sdk: Handles the stablepay-sdk package

2. Environment

• Runs on ubuntu-latest with Node.js 18.
• Uses actions/setup-node for Node.js setup.

Benefits

• Automates the NPM publishing process, reducing manual effort.
• Ensures only updated versions are published, preventing redundant releases.
• Implements robust error handling and retry mechanisms for reliability.

How to test

• Do some changes in stablepay-sdk
• Change the version in stablepay-sdk/package.json from 1.0.3 to 1.0.4 (3rd line)
• Git push them to main branch
• Monitor npmjs dashboard

Summary by CodeRabbit

• Chores
  • Added an automated publishing workflow to publish two SDKs to npm when package versions change, with version checks, conditional install/build/publish, retries, and auth handling.
  • Added a build script to one SDK to support package compilation prior to publish.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow is added to automate publishing two SDK packages (djed-sdk and stablepay-sdk) to npm when their package versions change. The workflow compares local vs. published versions, then conditionally installs, builds, and publishes updated packages. A rollup-based build script was also added to djed-sdk's package.json.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/npm-publish.yml	Adds a workflow with two parallel jobs (publish-djed-sdk, publish-stablepay-sdk) that detect version changes via npm view (with retries and E404 handling), set a changed flag, and conditionally run npm ci, npm run build, and npm publish (with retries) using Node.js 18 and NODE_AUTH_TOKEN.
SDK Build Configuration djed-sdk/package.json	Adds a "build": "rollup -c" script entry to enable rollup-based builds for djed-sdk.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub Actions
    participant Repo as Repository (runner/work/*)
    participant Npm as npm Registry
    rect rgba(200,230,255,0.5)
    GitHub->>Repo: checkout repository
    Repo->>Npm: npm view <pkg>@<version> (with retries)
    alt published != local or E404
        Repo->>Repo: set changed=true
        Repo->>Repo: npm ci (with retries)
        Repo->>Repo: npm run build
        Repo->>Npm: npm publish (with NODE_AUTH_TOKEN, retries)
    else published == local
        Repo->>Repo: skip install/build/publish
    end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• updated and published stablepay-sdk #12: Adds an npm-publish workflow and updates/publishes stablepay-sdk, directly related to this automated publishing workflow.

Poem

🐰 I hopped through workflows, checked versions with care,

Built with Rollup, retried in the air,
Pushed two SDKs off to the sky,
Tokens in paw, published—oh my! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a GitHub Actions workflow to automate npm publishing for both SDKs.
Linked Issues check	✅ Passed	All objectives from issue #42 are met: workflow file created, both SDKs supported, version detection implemented, npm build/publish automated, and proper trigger configuration.
Out of Scope Changes check	✅ Passed	All changes are within scope: the npm-publish.yml workflow directly addresses issue #42, and the build script addition to djed-sdk package.json is required for the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/npm-publish.yml:
- Around line 89-99: The "Publish to NPM" step's retry loop silently allows the
workflow to succeed if all 3 npm publish attempts fail; update the step to
explicitly fail when retries are exhausted by adding a failure path after the
loop (e.g., check the final exit status and call exit 1 or append "|| exit 1" so
the job fails if publish never succeeds). Apply the same change to the
corresponding publish step in the publish-stablepay-sdk job so both "Publish to
NPM" retry loops explicitly exit non-zero when all attempts fail.
- Around line 75-83: The retry loop in the "Install dependencies" step currently
swallows failures if all 3 npm ci attempts fail; modify the step so that after
the for-loop it explicitly fails the job when npm ci never succeeds (e.g., add
an exit 1 or set a failing condition when the loop finishes without success) and
apply the same change to the identical retry block in the publish-stablepay-sdk
job; locate and update the "Install dependencies" step and the second retry
block (the npm ci loop) so the workflow exits non-zero after exhausting retries.

🧹 Nitpick comments (3)

.github/workflows/npm-publish.yml (3)

40-57: Redundant npm view call creates race condition and inefficiency.

When the first npm view fails (line 41), a second call is made (line 46) just to check for E404. This doubles network requests and introduces a race condition where the second call could behave differently.

Capture stderr from the single call instead:

♻️ Suggested fix

          PUBLISHED_VERSION=""
          for i in {1..3}; do
-           if OUTPUT=$(npm view "$PACKAGE_NAME" version 2>/dev/null); then
+           OUTPUT=$(npm view "$PACKAGE_NAME" version 2>&1)
+           EXIT_CODE=$?
+           if [ $EXIT_CODE -eq 0 ]; then
              PUBLISHED_VERSION=$OUTPUT
              break
            else
-             # Check if it's a 404 (package doesn't exist)
-             if npm view "$PACKAGE_NAME" version 2>&1 | grep -q "E404"; then
+             if echo "$OUTPUT" | grep -q "E404"; then
                echo "Package not found on registry. Assuming new package."
                PUBLISHED_VERSION="0.0.0"
                break
              fi
              
              if [ $i -lt 3 ]; then
                echo "Attempt $i failed. Retrying in 5 seconds..."
                sleep 5
              fi
            fi
          done

Apply the same fix to the publish-stablepay-sdk job (lines 127-143).

---

19-21: Consider using npm provenance or removing unused id-token: write permission.

The id-token: write permission is typically used for npm provenance attestation, but npm publish isn't invoked with the --provenance flag. Either leverage provenance for supply chain security or remove the unused permission to follow least-privilege principle.

Option 1: Enable provenance (recommended for supply chain security)

      - name: Publish to NPM
        if: steps.check.outputs.changed == 'true'
        run: |
          for i in {1..3}; do
-           npm publish && break || {
+           npm publish --provenance && break || {

Option 2: Remove unused permission

    permissions:
      contents: read
-     id-token: write

Apply to both jobs.

---

12-185: Consider using a matrix strategy to reduce duplication.

The two jobs are nearly identical, differing only in the working directory. A matrix strategy would consolidate the logic and make maintenance easier.

♻️ Matrix-based approach

jobs:
  publish-sdk:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    strategy:
      matrix:
        sdk: [djed-sdk, stablepay-sdk]
    defaults:
      run:
        working-directory: ./${{ matrix.sdk }}
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      
      - uses: actions/setup-node@v4
        with:
          node-version: '18'
          registry-url: 'https://registry.npmjs.org'

      # ... rest of steps remain the same

This reduces ~90 lines of duplication and ensures both SDKs always use identical publish logic.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/npm-publish.yml:
- Around line 19-21: Remove the unused id-token: write permission from the
workflow permissions block(s); edit the permissions mapping that currently
contains "contents: read" and "id-token: write" so it only includes required
keys (e.g., remove the "id-token" entry), and apply the same removal for the
other permissions block referenced (the one around lines 123-125) to enforce
least privilege.
- Around line 67-73: Replace the simple inequality check ([ "$LOCAL_VERSION" !=
"$PUBLISHED_VERSION" ]) in both version-check blocks with a semver-aware "is
newer" test: use a sort -V comparison such as checking that the last line of
printf '%s\n' "$PUBLISHED_VERSION" "$LOCAL_VERSION" | sort -V is equal to
"$LOCAL_VERSION" and also that the two versions are not equal; i.e. change the
condition to something like: if [ "$(printf '%s\n' "$PUBLISHED_VERSION"
"$LOCAL_VERSION" | sort -V | tail -n1)" = "$LOCAL_VERSION" ] && [
"$LOCAL_VERSION" != "$PUBLISHED_VERSION" ]; then ... and apply the same
replacement for the second block (the other occurrence of [ "$LOCAL_VERSION" !=
"$PUBLISHED_VERSION" ]).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd1f65 and 2adf558.

📒 Files selected for processing (1)

• .github/workflows/npm-publish.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Drop unused id-token: write permission (least privilege).

id-token: write is not used by any step here (no OIDC/provenance flow), so this grants unnecessary privilege in both jobs.

🔧 Proposed fix

     permissions:
       contents: read
-      id-token: write 

Also applies to: 123-125

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/npm-publish.yml around lines 19 - 21, Remove the unused
id-token: write permission from the workflow permissions block(s); edit the
permissions mapping that currently contains "contents: read" and "id-token:
write" so it only includes required keys (e.g., remove the "id-token" entry),
and apply the same removal for the other permissions block referenced (the one
around lines 123-125) to enforce least privilege.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Publish gate should require a version increase, not just inequality.

On Line 67 and Line 169, != treats downgrades as “changed”, which can trigger failing publish attempts and violates the objective (“newer than published”).

🔧 Proposed fix

-          if [ "$LOCAL_VERSION" != "$PUBLISHED_VERSION" ]; then
-            echo "Version changed."
+          if [ "$LOCAL_VERSION" != "$PUBLISHED_VERSION" ] && \
+             [ "$(printf '%s\n' "$PUBLISHED_VERSION" "$LOCAL_VERSION" | sort -V | tail -n1)" = "$LOCAL_VERSION" ]; then
+            echo "Version increased."
             echo "changed=true" >> "$GITHUB_OUTPUT"
           else
-            echo "Version unchanged."
+            echo "Version not increased."
             echo "changed=false" >> "$GITHUB_OUTPUT"
           fi

Apply the same update to both Check version change blocks.

Also applies to: 169-175

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/npm-publish.yml around lines 67 - 73, Replace the simple
inequality check ([ "$LOCAL_VERSION" != "$PUBLISHED_VERSION" ]) in both
version-check blocks with a semver-aware "is newer" test: use a sort -V
comparison such as checking that the last line of printf '%s\n'
"$PUBLISHED_VERSION" "$LOCAL_VERSION" | sort -V is equal to "$LOCAL_VERSION" and
also that the two versions are not equal; i.e. change the condition to something
like: if [ "$(printf '%s\n' "$PUBLISHED_VERSION" "$LOCAL_VERSION" | sort -V |
tail -n1)" = "$LOCAL_VERSION" ] && [ "$LOCAL_VERSION" != "$PUBLISHED_VERSION" ];
then ... and apply the same replacement for the second block (the other
occurrence of [ "$LOCAL_VERSION" != "$PUBLISHED_VERSION" ]).