name: ci on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: docker compose build - run: docker compose run --rm test # Enforce the coverage gate: test:cov exits non-zero if coverage falls # below the thresholds in vitest.config.ts (lines/functions 90, branches 85). - run: docker compose run --rm cov publish: # Publishes to npm via OIDC "trusted publishing" — no token, no OTP. # Fires only on a version tag (e.g. v1.0.1) whose package.json version matches. # Requires the npm Trusted Publisher configured for mihailShumilov/solana-resilience-kit # against this workflow file (ci.yml). needs: test if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest permissions: id-token: write # mint the OIDC token npm exchanges for short-lived publish creds contents: read steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 22 registry-url: https://registry.npmjs.org - name: Use an npm new enough for trusted publishing run: npm install -g npm@latest # trusted publishing needs npm >= 11.5.1 - name: Verify the tag matches package.json version run: | PKG="v$(node -p "require('./package.json').version")" if [ "$PKG" != "$GITHUB_REF_NAME" ]; then echo "::error::tag $GITHUB_REF_NAME does not match package.json version $PKG" exit 1 fi - run: npm ci - run: npm publish # prepublishOnly re-runs typecheck + tests + build first