Added npm publish workflow for both sdks

[DeveloperAmrit]

Fixes #42

Pre-requisites

• Ensure the NPM_TOKEN secret is configured in the repository settings.

Summary
This PR introduces a GitHub Actions workflow to automate the publishing of the djed-sdk and stablepay-sdk packages to the NPM registry. The workflow ensures that only updated versions of the packages are published, improving the release process's efficiency and reliability.

Key features

1. Trigger condition

• The workflow runs on push events to the main or master branches.
• It monitors changes to djed-sdk/package.json and stablepay-sdk/pacakage.json

2. Version check

• Compares the local version in package.json with the published version on NPM.
• Publishes the package only if the version has changed.

3. Retry mechanisms

• Handles network issues during version checks, dependency installation, and publishing with retry loops.

4. Build and publish

• Installs dependencies using npm ci.
• Builds the package using npm run build.
• Publishes the package to NPM using the NODE_AUTH_TOKEN secret.

Workflow details

1. Jobs

• publish-djed-sdk: Handles the djed-sdk package
• publish-stablepay-sdk: Handles the stablepay-sdk package

2. Environment

• Runs on ubuntu-latest with Node.js 18.
• Uses actions/setup-node for Node.js setup.

Benefits

• Automates the NPM publishing process, reducing manual effort.
• Ensures only updated versions are published, preventing redundant releases.
• Implements robust error handling and retry mechanisms for reliability.

How to test

• Do some changes in stablepay-sdk
• Change the version in stablepay-sdk/package.json from 1.0.3 to 1.0.4 (3rd line)
• Git push them to main branch
• Monitor npmjs dashboard

Summary by CodeRabbit

• Chores
  • Established automated publishing workflow for SDK packages to improve release consistency.
  • Added build script for SDK package compilation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow is introduced to automate publishing two SDK packages (djed-sdk and stablepay-sdk) to npm when their versions change. The workflow detects version differences between local packages and the npm registry, then conditionally builds and publishes updated versions. Additionally, a build script is added to djed-sdk's package configuration.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/npm-publish.yml	Introduces automated npm publishing for djed-sdk and stablepay-sdk with parallel jobs that: detect version changes via npm registry queries with retry logic, conditionally install/build/publish based on version differences, and handle unpublished packages (E404) as version 0.0.0.
SDK Build Configuration djed-sdk/package.json	Adds "build": "rollup -c" script entry to enable rollup-based package building.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• updated and published stablepay-sdk #12: Publishes stablepay-sdk, directly affected by the new automated publishing workflow introduced in this PR.

Poem

🐰 A workflow of wonder, with jobs running free,
Versions compared, then off to npm's spree,
Rollup builds swift, retries with care,
Two SDKs publishing—automation fair! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR contains one minor out-of-scope change: adding a build script to djed-sdk/package.json is not mentioned in issue #42 requirements.	Clarify whether the build script addition is necessary for the workflow or should be in a separate PR. The workflow may require this script, but explicit documentation would improve clarity.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change - adding an npm publish workflow for both SDKs, directly aligning with the changeset's primary purpose.
Linked Issues check	✅ Passed	The PR successfully implements all coding objectives from issue #42: creates npm-publish.yml workflow, supports both packages, detects version changes, and automates build/publish steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/npm-publish.yml:
- Around line 89-99: The "Publish to NPM" step's retry loop silently allows the
workflow to succeed if all 3 npm publish attempts fail; update the step to
explicitly fail when retries are exhausted by adding a failure path after the
loop (e.g., check the final exit status and call exit 1 or append "|| exit 1" so
the job fails if publish never succeeds). Apply the same change to the
corresponding publish step in the publish-stablepay-sdk job so both "Publish to
NPM" retry loops explicitly exit non-zero when all attempts fail.
- Around line 75-83: The retry loop in the "Install dependencies" step currently
swallows failures if all 3 npm ci attempts fail; modify the step so that after
the for-loop it explicitly fails the job when npm ci never succeeds (e.g., add
an exit 1 or set a failing condition when the loop finishes without success) and
apply the same change to the identical retry block in the publish-stablepay-sdk
job; locate and update the "Install dependencies" step and the second retry
block (the npm ci loop) so the workflow exits non-zero after exhausting retries.

🧹 Nitpick comments (3)

.github/workflows/npm-publish.yml (3)

40-57: Redundant npm view call creates race condition and inefficiency.

When the first npm view fails (line 41), a second call is made (line 46) just to check for E404. This doubles network requests and introduces a race condition where the second call could behave differently.

Capture stderr from the single call instead:

♻️ Suggested fix

          PUBLISHED_VERSION=""
          for i in {1..3}; do
-           if OUTPUT=$(npm view "$PACKAGE_NAME" version 2>/dev/null); then
+           OUTPUT=$(npm view "$PACKAGE_NAME" version 2>&1)
+           EXIT_CODE=$?
+           if [ $EXIT_CODE -eq 0 ]; then
              PUBLISHED_VERSION=$OUTPUT
              break
            else
-             # Check if it's a 404 (package doesn't exist)
-             if npm view "$PACKAGE_NAME" version 2>&1 | grep -q "E404"; then
+             if echo "$OUTPUT" | grep -q "E404"; then
                echo "Package not found on registry. Assuming new package."
                PUBLISHED_VERSION="0.0.0"
                break
              fi
              
              if [ $i -lt 3 ]; then
                echo "Attempt $i failed. Retrying in 5 seconds..."
                sleep 5
              fi
            fi
          done

Apply the same fix to the publish-stablepay-sdk job (lines 127-143).

---

19-21: Consider using npm provenance or removing unused id-token: write permission.

The id-token: write permission is typically used for npm provenance attestation, but npm publish isn't invoked with the --provenance flag. Either leverage provenance for supply chain security or remove the unused permission to follow least-privilege principle.

Option 1: Enable provenance (recommended for supply chain security)

      - name: Publish to NPM
        if: steps.check.outputs.changed == 'true'
        run: |
          for i in {1..3}; do
-           npm publish && break || {
+           npm publish --provenance && break || {

Option 2: Remove unused permission

    permissions:
      contents: read
-     id-token: write

Apply to both jobs.

---

12-185: Consider using a matrix strategy to reduce duplication.

The two jobs are nearly identical, differing only in the working directory. A matrix strategy would consolidate the logic and make maintenance easier.

♻️ Matrix-based approach

jobs:
  publish-sdk:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    strategy:
      matrix:
        sdk: [djed-sdk, stablepay-sdk]
    defaults:
      run:
        working-directory: ./${{ matrix.sdk }}
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      
      - uses: actions/setup-node@v4
        with:
          node-version: '18'
          registry-url: 'https://registry.npmjs.org'

      # ... rest of steps remain the same

This reduces ~90 lines of duplication and ensures both SDKs always use identical publish logic.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Retry loop silently continues on persistent failure.

If all 3 npm ci attempts fail, the loop exits without error and the workflow proceeds to the build step—which will fail or behave incorrectly without dependencies. The job should fail explicitly after exhausting retries.

🔧 Proposed fix

      - name: Install dependencies
        if: steps.check.outputs.changed == 'true'
        run: |
+         SUCCESS=false
          for i in {1..3}; do
-           npm ci && break || {
+           if npm ci; then
+             SUCCESS=true
+             break
+           else
              echo "Install failed, retrying in 10 seconds..."
              sleep 10
-           }
+           fi
          done
+         if [ "$SUCCESS" != "true" ]; then
+           echo "Failed to install dependencies after 3 attempts"
+           exit 1
+         fi

Apply the same fix to lines 161-169 in the publish-stablepay-sdk job.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install dependencies
	if: steps.check.outputs.changed == 'true'
	run: |
	for i in {1..3}; do
	npm ci && break || {
	echo "Install failed, retrying in 10 seconds..."
	sleep 10
	}
	done
	- name: Install dependencies
	if: steps.check.outputs.changed == 'true'
	run: |
	SUCCESS=false
	for i in {1..3}; do
	if npm ci; then
	SUCCESS=true
	break
	else
	echo "Install failed, retrying in 10 seconds..."
	sleep 10
	fi
	done
	if [ "$SUCCESS" != "true" ]; then
	echo "Failed to install dependencies after 3 attempts"
	exit 1
	fi

🤖 Prompt for AI Agents

In @.github/workflows/npm-publish.yml around lines 75 - 83, The retry loop in
the "Install dependencies" step currently swallows failures if all 3 npm ci
attempts fail; modify the step so that after the for-loop it explicitly fails
the job when npm ci never succeeds (e.g., add an exit 1 or set a failing
condition when the loop finishes without success) and apply the same change to
the identical retry block in the publish-stablepay-sdk job; locate and update
the "Install dependencies" step and the second retry block (the npm ci loop) so
the workflow exits non-zero after exhausting retries.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Publish step also needs explicit failure handling.

Same issue as the install step—if all 3 publish attempts fail, the job succeeds silently. This is particularly problematic as the package won't be published but the workflow will report success.

🔧 Proposed fix

      - name: Publish to NPM
        if: steps.check.outputs.changed == 'true'
        run: |
+         SUCCESS=false
          for i in {1..3}; do
-           npm publish && break || {
+           if npm publish; then
+             SUCCESS=true
+             break
+           else
              echo "Publish failed, retrying in 10 seconds..."
              sleep 10
-           }
+           fi
          done
+         if [ "$SUCCESS" != "true" ]; then
+           echo "Failed to publish after 3 attempts"
+           exit 1
+         fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Apply the same fix to lines 175-185 in the publish-stablepay-sdk job.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish to NPM
	if: steps.check.outputs.changed == 'true'
	run: |
	for i in {1..3}; do
	npm publish && break || {
	echo "Publish failed, retrying in 10 seconds..."
	sleep 10
	}
	done
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	- name: Publish to NPM
	if: steps.check.outputs.changed == 'true'
	run: |
	SUCCESS=false
	for i in {1..3}; do
	if npm publish; then
	SUCCESS=true
	break
	else
	echo "Publish failed, retrying in 10 seconds..."
	sleep 10
	fi
	done
	if [ "$SUCCESS" != "true" ]; then
	echo "Failed to publish after 3 attempts"
	exit 1
	fi
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

🤖 Prompt for AI Agents

In @.github/workflows/npm-publish.yml around lines 89 - 99, The "Publish to NPM"
step's retry loop silently allows the workflow to succeed if all 3 npm publish
attempts fail; update the step to explicitly fail when retries are exhausted by
adding a failure path after the loop (e.g., check the final exit status and call
exit 1 or append "|| exit 1" so the job fails if publish never succeeds). Apply
the same change to the corresponding publish step in the publish-stablepay-sdk
job so both "Publish to NPM" retry loops explicitly exit non-zero when all
attempts fail.