name: WASM Package
on:
push:
branches: [main, develop]
paths:
- 'core/**/*.rs'
- 'core/Cargo.toml'
- 'bindings/wasm/**'
- '.github/workflows/wasm-package.yml'
pull_request:
branches: [main]
paths:
- 'core/**/*.rs'
- 'core/Cargo.toml'
- 'bindings/wasm/**'
- '.github/workflows/wasm-package.yml'
workflow_dispatch:
inputs:
enable_publish:
description: 'DISABLED - Use publish-tokens.yml workflow instead'
type: boolean
default: false
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
build:
name: Build WASM Package
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2
with:
key: wasm-${{ hashFiles('**/Cargo.lock') }}
- name: Install wasm-pack
run: cargo install wasm-pack --locked
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 9
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
id: pnpm-cache
- name: Setup pnpm cache
uses: actions/cache@v4
with:
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
key: pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
pnpm-store-
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build WASM (web target)
working-directory: bindings/wasm
run: pnpm run build:wasm-web
- name: Build WASM (nodejs target)
working-directory: bindings/wasm
run: pnpm run build:wasm-node
- name: Build TypeScript wrappers
working-directory: bindings/wasm
run: pnpm run build:ts
- name: Type check
working-directory: bindings/wasm
run: pnpm run typecheck
- name: Package dry-run
working-directory: bindings/wasm
run: |
echo "Running pnpm pack --dry-run to verify packaging..."
pnpm pack --dry-run 2>&1 | head -100
- name: Create tarball artifact
working-directory: bindings/wasm
run: |
TARBALL=$(pnpm pack 2>&1 | tail -1)
echo "Created tarball: $TARBALL"
mkdir -p artifacts
mv "$TARBALL" artifacts/
- name: Upload WASM package artifact
uses: actions/upload-artifact@v4
with:
name: wasm-package
path: bindings/wasm/artifacts/*.tgz
retention-days: 7
if-no-files-found: warn
- name: Verify package contents
working-directory: bindings/wasm
run: |
echo "Package contents:"
tar -tzf artifacts/*.tgz | head -50
verify:
name: Verify Package Ready
needs: build
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: wasm-package
path: ./artifacts
- name: Verify tarball exists
run: |
echo "Downloaded artifacts:"
ls -la ./artifacts/
TARBALL=$(ls ./artifacts/*.tgz | head -1)
if [ -f "$TARBALL" ]; then
echo "✅ WASM package tarball ready: $TARBALL"
echo "📦 Size: $(du -h "$TARBALL" | cut -f1)"
else
echo "❌ No tarball found"
exit 1
fi
- name: Summary
run: |
echo "## WASM Package Build Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Build completed successfully" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Note:** This workflow builds and packages the WASM module." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "To publish manually, trigger this workflow with \`enable_publish: true\`." >> $GITHUB_STEP_SUMMARY
echo "Trusted Publishing (OIDC) must be configured in npm - see PUBLISH-STEPS.md." >> $GITHUB_STEP_SUMMARY
publish-npm:
name: Publish to npm (Trusted Publishing)
needs: build
if: github.event.inputs.enable_publish == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Install wasm-pack
run: cargo install wasm-pack --locked
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 9
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build WASM (all targets)
working-directory: bindings/wasm
run: pnpm run build:all
- name: Publish to npm (Trusted Publishing with provenance)
working-directory: bindings/wasm
run: pnpm publish --provenance --access public
env:
NPM_CONFIG_PROVENANCE: true
- name: Post-publish summary
run: |
echo "## npm Publish Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Published \`@open-kya/kya-validator-wasm\` to npm" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Package: https://www.npmjs.com/package/@open-kya/kya-validator-wasm" >> $GITHUB_STEP_SUMMARY