QuickSwap · henrypalacios · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/.github/README.md b/.github/README.md
@@ -0,0 +1,23 @@
+# GitHub Workflows
+
+## Workflows
+
+### ci.yml
+- Runs on PRs and pushes to `main`
+- Tests, linting, security scans
+- Dependency review on PRs
+
+### publish.yml
+- Runs on push to `main` (automatic)
+- Manual trigger available via workflow_dispatch
+- Publishes to npm with provenance
+
+## Setup Required
+
+1. **NPM_TOKEN**: Create an Automation token on npmjs.com and add it to repository secrets
+2. **Branch Protection**: Enable on `main` branch to require PR reviews
+
+## Publishing
+
+Update version in `package.json`, merge to `main`, and publish happens automatically.
+
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -1,43 +1,80 @@
-name: CI
-env:
-  CI: true
+name: ci
+
+permissions:
+  contents: read
 
 on:
   pull_request:
     branches:
-      - v2
+      - main
   push:
     branches:
-      - v2
+      - main
 
 jobs:
   test:
-    strategy:
-      matrix:
-        node: ['10.x', '12.x']
-        os: [ubuntu-latest, macOS-latest]
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-    runs-on: ${{ matrix.os }}
+      - name: Install pnpm
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+        with:
+          version: 9
 
-    steps:
-      - uses: actions/checkout@v1
-      - uses: actions/setup-node@v1
+      - name: Setup Node 20.x
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: ${{ matrix.node }}
+          node-version: '20.x'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Build
+        run: pnpm run build
 
-      - run: npm install -g yarn
+      - name: Test
+        run: pnpm run test
 
-      - id: yarn-cache
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v1
+  security:
+    name: Security Scans
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+        with:
+          version: 9
+
+      - name: Setup Node 20.x
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          path: ${{ steps.yarn-cache.outputs.dir }}
-          key: ${{ matrix.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ matrix.os }}-yarn-
+          node-version: '20.x'
+          cache: 'pnpm'
 
-      - run: yarn
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Security audit
+        run: pnpm audit --audit-level high || echo "⚠️ Vulnerabilities detected"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          languages: javascript-typescript
 
-      - run: yarn lint
-      - run: yarn build
-      - run: yarn test
+      - name: CodeQL Analysis
+        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,115 @@
+name: Publish to NPM
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write  # Required for npm provenance
+  packages: write
+
+jobs:
+  publish:
+    name: Build & Publish to NPM
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+        with:
+          version: 9
+          run_install: false
+
+      - name: Setup Node 20.x
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org/'
+          cache: 'pnpm'
+
+      - name: Get package version
+        id: package-version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "📦 Current version: ${VERSION}"
+
+      - name: Verify lockfile exists
+        run: |
+          if [ ! -f "pnpm-lock.yaml" ]; then
+            echo "❌ pnpm-lock.yaml not found"
+            echo "Run 'pnpm install' locally and commit the lockfile"
+            exit 1
+          fi
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run linter
+        run: pnpm run lint
+
+      - name: Run tests
+        run: pnpm run test
+
+      - name: Build package
+        run: pnpm run build
+
+      - name: Security audit
+        run: |
+          pnpm audit --audit-level moderate || {
+            echo "⚠️ Security vulnerabilities found"
+            exit 1
+          }
+
+      - name: Verify public dependencies
+        run: |
+          if pnpm list --json | grep -q '"private":true'; then
+            echo "❌ Private packages detected in dependencies"
+            exit 1
+          fi
+
+      - name: Check NPM authentication
+        run: pnpm whoami
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish to NPM
+        id: publish
+        run: |
+          echo "🚀 Publishing version ${{ steps.package-version.outputs.version }}"
+          pnpm publish --access public --provenance --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish success
+        if: success()
+        run: |
+          echo "✅ Published version ${{ steps.package-version.outputs.version }}"
+          echo "📦 https://www.npmjs.com/package/quickswap-sdk"
+          echo "🔐 Provenance: https://www.npmjs.com/package/quickswap-sdk/v/${{ steps.package-version.outputs.version }}"
+
+      - name: Publish failed
+        if: failure()
+        run: |
+          echo "❌ Failed to publish to NPM"
+          echo ""
+          echo "Common reasons:"
+          echo "  - Version ${{ steps.package-version.outputs.version }} already exists"
+          echo "  - NPM_TOKEN is invalid or expired"
+          echo "  - Security vulnerabilities detected"
+          echo "  - Lockfile is out of sync"
+          echo ""
+          echo "To publish a new version:"
+          echo "  1. Update version in package.json"
+          echo "  2. Run 'pnpm install' to update lockfile"
+          echo "  3. Commit and push to main"
+          exit 1