chore: enforce OIDC and pin cargo workplace version

[hmzakhalid]

Summary by CodeRabbit

• Chores
  • Enhanced release automation workflow with improved per-package publishing controls
  • Refined version tagging logic to better distinguish pre-release and stable release channels
  • Strengthened pre-release validation processes to improve overall release quality

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
crisp	Ready	Preview	Comment	Dec 10, 2025 0:31am
enclave-docs	Ready	Preview	Comment	Dec 10, 2025 0:31am

[coderabbitai]

Walkthrough

The releases workflow is restructured to pin cargo-workspaces to version 0.3.6, add npm build and permission configuration, compute npm tags based on prerelease status, and replace a monolithic npm publish step with individual per-package publishing steps targeting specific directories.

Changes

Cohort / File(s)	Summary
Rust Publishing Configuration .github/workflows/releases.yml	Pinned cargo-workspaces invocation to v0.3.6 in both Rust publishing steps; preserved --locked behavior.
NPM Publishing Refactor .github/workflows/releases.yml	Added explicit workflow permissions (contents: read, id-token: write); introduced pnpm build:ts step prior to publishing; implemented tag selection logic (next for pre-releases, latest for stable); replaced monolithic publish block with five individual per-package npm publish steps for @enclave-e3/config, @enclave-e3/contracts, @enclave-e3/wasm, @enclave-e3/sdk, and @enclave-e3/react, each with explicit working directories and provenance metadata.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the tag logic correctly maps is_prerelease to npm tags (next vs. latest)
• Confirm all five npm packages are included in per-package publish steps and target correct directories
• Validate cargo-workspaces v0.3.6 pinning does not conflict with other workflow dependencies

Possibly related PRs

• chore: add script to bump versions and release workflows #764: Modifies the same releases workflow with overlapping per-package npm publish steps, prerelease tag logic, and pinned cargo-workspaces integration.
• fix: rust releases #774: Updates the Rust publishing flow to use cargo-workspaces, complementing the pinning and integration approach in this PR.
• Add releases workflows #476: Adds the foundational GitHub Actions releases workflow; this PR refines it with per-package steps and enhanced tag logic.

Suggested reviewers

• 0xjei
• cedoor
• ryardley

Poem

🐰 Five packages dance in the release queue,
With tags that branch by pre or true,
Cargo locked, permissions set,
Each step shines, no regrets yet!
Build, compute, and publish with care,
Release magic floats through the air! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: enforcing OIDC (through added workflow permissions) and pinning cargo-workspaces to version 0.3.6, which are the primary objectives reflected in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/release-ci

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f89f3d and 369f0ba.

📒 Files selected for processing (1)

• .github/workflows/releases.yml (3 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 476
File: .github/workflows/releases.yml:29-37
Timestamp: 2025-06-05T14:10:25.539Z
Learning: In GitHub Actions workflows for release-plz, the user prefers to keep the version explicitly pinned (e.g., version: "0.3.83") rather than allowing dynamic version inference, for stability and reproducibility.

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

📚 Learning: 2025-06-05T14:10:25.539Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 476
File: .github/workflows/releases.yml:29-37
Timestamp: 2025-06-05T14:10:25.539Z
Learning: In GitHub Actions workflows for release-plz, the user prefers to keep the version explicitly pinned (e.g., version: "0.3.83") rather than allowing dynamic version inference, for stability and reproducibility.

Applied to files:

• .github/workflows/releases.yml

📚 Learning: 2025-08-27T13:49:03.811Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 648
File: .github/workflows/ci.yml:202-206
Timestamp: 2025-08-27T13:49:03.811Z
Learning: In GitHub Actions workflows for Noir circuits, the user prefers to use "stable" toolchain with noir-lang/noirup action rather than pinning to specific versions like 1.0.0-beta.11, and prefers to update the noirup action version (e.g., to 0.1.4) to get tooling improvements.

Applied to files:

• .github/workflows/releases.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build_sdk
• GitHub Check: build_enclave_cli
• GitHub Check: crisp_unit
• GitHub Check: integration_prebuild
• GitHub Check: test_net
• GitHub Check: test_contracts
• GitHub Check: rust_integration
• GitHub Check: rust_unit

🔇 Additional comments (5)

.github/workflows/releases.yml (5)

252-254: OIDC enforcement via explicit permissions is correct.

The id-token: write permission is necessary for GitHub Actions to generate OIDC tokens, which --provenance in npm publish requires. This properly enforces OIDC as stated in the PR objective.

---

248-303: Consider whether npm publish failure handling aligns with release strategy.

The publish-npm-packages job has no continue-on-error, unlike publish-rust-crates (line 220). If any per-package npm publish fails, the entire job fails. Clarify whether this is intentional—that all npm packages must publish successfully for a release to proceed.

Is the strict all-or-nothing npm publishing strategy intentional, or should individual package failures be tolerated?

---

245-245: Pinning cargo-workspaces to 0.3.6 is good practice for reproducibility.

Explicitly pinning to 0.3.6 with --locked ensures consistent behavior across runs. cargo-workspaces 0.3.6 is a valid, non-yanked version on crates.io, and this aligns with the user's preference for explicit versioning in workflows for stability and reproducibility.

---

284-302: All 5 package directories exist with valid package.json files, and package names match the workflow configuration. The per-package publishing setup at lines 284-302 is structurally sound with correct working directories and expected package names.

---

270-271: No action required. The pnpm build:ts script is properly defined in package.json and chains the evm:build, sdk:build, and react:build tasks. The workflow step is correctly configured.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}