superfluid-org · mmd-afegbua · Feb 25, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 29, 2026
@@ -19,7 +19,8 @@ jobs:
 
     runs-on: ubuntu-22.04
 
-    permissions: write-all
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -49,7 +50,9 @@ jobs:
 
     runs-on: ubuntu-22.04
 
-    permissions: write-all
+    permissions:
+      contents: write
+
 
     steps:
       - uses: actions/checkout@v4
@@ -89,7 +92,10 @@ jobs:
 
     runs-on: ubuntu-22.04
 
-    permissions: write-all
+    permissions:
+      contents: write
+      id-token: write
+
 
     steps:
       - uses: actions/checkout@v4
@@ -121,7 +127,6 @@ jobs:
           tasks/npm-publish.sh packages/metadata/ latest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }}
 
   check-sdk-core-version:
     name: Checking if SDK-Core should be published
@@ -166,7 +171,8 @@ jobs:
         check-sdk-core-version,
       ]
 
-    permissions: write-all
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -193,7 +199,8 @@ jobs:
 
     runs-on: ubuntu-22.04
 
-    permissions: write-all
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v4

@@ -1,20 +1,23 @@
-name: CI | Canary (Dev)
+name: Publisher & CI
 
 on:
   push:
     branches: ["dev"]
     paths:
-      - ".github/workflows/ci.canary.yml"
+      - ".github/workflows/handler.publish-dev-release-packages.yml"
       - ".github/workflows/call.*.yml"
       - "package.json"
       - "yarn.lock"
       - "packages/**"
       - "codecov.yml"
       # - "**.md" are commented out because docs updates should go into the packages
+  release:
+    types: [published]
 
 jobs:
   check:
     name: Checking what packages need to be built
+    if: github.event_name == 'push'
 
     runs-on: ubuntu-22.04
 
@@ -139,7 +142,7 @@
     name: All packages tested (Dev Branch)
     runs-on: ubuntu-22.04
     # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-not-requiring-successful-dependent-jobs
-    if: ${{ always() }}
+    if: ${{ always() && github.event_name == 'push' }}
 
     needs: [ test-spec-haskell
            , test-solidity-semantic-money
@@ -175,9 +178,12 @@
 
   publish-npm-packages:
     name: Publish canary packages to registries
+    # Only run this if we are in a push event (canary flow)
+    if: github.event_name == 'push'
 
-    permissions: write-all
-
+    permissions:
+      contents: read
+      id-token: write
     needs: [all-packages-tested]
 
     runs-on: ubuntu-22.04
@@ -189,6 +195,11 @@
     steps:
       - uses: actions/checkout@v4
 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
+
       - uses: DeterminateSystems/nix-installer-action@v13
 
       - name: Install dependencies
@@ -208,17 +219,19 @@
           yarn lerna version prerelease --yes --no-git-tag-version --preid "${preId}"
 
       - name: Publish to npm
+        shell: bash
         run: |
           tasks/npm-publish.sh packages/ethereum-contracts/ dev --verbose
           tasks/npm-publish.sh packages/sdk-core/ dev --verbose
           tasks/npm-publish.sh packages/sdk-redux/ dev --verbose
           tasks/npm-publish.sh packages/metadata/ dev --verbose
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }}
 
   publish-sdk-html-docs:
     name: Publish canary HTML docs
+    # Only run this if we are in a push event
+    if: github.event_name == 'push'
 
     needs: [all-packages-tested]
 
@@ -273,3 +286,198 @@
           s3_uri: ${{ format('{0}sdk-redux@dev', secrets.SITE_DEPLOYER_AWS_S3_DOCS_URI) }}
           cloudfront_distribution_id: E3JEO5R14CT8IH
 
+  upgrade-contracts:
+    name: Upgrade ethereum-contracts on canary testnet (protocol release version "canary")
+
+    if: false # disable this for now
+
+    needs: [all-packages-tested]
+
+    runs-on: ubuntu-22.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        network: [optimism-sepolia]
+
+    defaults:
+      run:
+        shell: nix develop .#ci-default -c bash -xe {0}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: DeterminateSystems/nix-installer-action@v13
+
+      - name: Build
+        run: |
+          yarn install --frozen-lockfile
+          yarn build
+
+      - name: Deploy to ${{ matrix.network }}
+        run: |
+          cd packages/ethereum-contracts
+          npx truffle exec --network ${{ matrix.network }} ops-scripts/deploy-test-environment.js
+          npx truffle exec --network ${{ matrix.network }} ops-scripts/info-print-contract-addresses.js : addresses.vars
+          tasks/etherscan-verify-framework.sh ${{ matrix.network }} addresses.vars
+        env:
+          RELEASE_VERSION: canary
+          OPTIMISM_SEPOLIA_MNEMONIC: ${{ secrets.BUILD_AGENT_MNEMONIC }}
+          OPTIMISM_SEPOLIA_PROVIDER_URL: ${{ secrets.OPTIMISM_SEPOLIA_PROVIDER_URL }}
+
+  publish-release:
@@ -291,6 +291,9 @@
    if: false # disable this for now
+    permissions:
+      contents: read
+
    needs: [all-packages-tested]
    runs-on: ubuntu-22.04
@@ -291,6 +291,9 @@

    if: false # disable this for now

+    permissions:
+      contents: read
+
    needs: [all-packages-tested]

    runs-on: ubuntu-22.04
+    name: Publish release package
+    if: github.event_name == 'release'
+
+    permissions:
+      contents: read
+      id-token: write
+
+    runs-on: ubuntu-22.04
+
+    defaults:
+      run:
+        shell: nix develop .#ci-default -c bash -xe {0}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        with:
+          repository: superfluid-finance/build-scripts
+          path: build-scripts
+
+      - uses: DeterminateSystems/nix-installer-action@v13
+
+      - name: Parse Tag
+        env:
+          GITHUB_REF: ${{ github.ref }}
+        run: |
+          if echo -n "$GITHUB_REF" | grep -qE "refs/tags/ethereum-contracts@";then
+            echo "PUBLISH_ETHEREUM_CONTRACTS=1" >> "$GITHUB_ENV"
+          fi
+          if echo -n "$GITHUB_REF" | grep -qE "refs/tags/sdk-core@";then
+            echo "PUBLISH_SDK_CORE=1" >> "$GITHUB_ENV"
+          fi
+          if echo -n "$GITHUB_REF" | grep -qE "refs/tags/sdk-redux@";then
+            echo "PUBLISH_SDK_REDUX=1" >> "$GITHUB_ENV"
+          fi
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Build ethereum-contracts package
+        if: env.PUBLISH_ETHEREUM_CONTRACTS == 1
+        run: |
+          yarn --cwd packages/ethereum-contracts build
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish ethereum-contracts package
+        if: env.PUBLISH_ETHEREUM_CONTRACTS == 1
+        shell: bash
+        run: |
+          tasks/npm-publish.sh packages/ethereum-contracts/ latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build sdk-core package
+        if: env.PUBLISH_SDK_CORE == 1
+        run: |
+          yarn --cwd packages/sdk-core get-graphql-schema:v1
+          yarn --cwd packages/ethereum-contracts build
+          yarn --cwd packages/sdk-core build
+          yarn --cwd packages/sdk-core doc:html
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish sdk-core package
+        id: publish-sdk-core
+        if: env.PUBLISH_SDK_CORE == 1
+        shell: bash
+        run: |
+          tasks/npm-publish.sh packages/sdk-core/ latest
+
+          PUBLISHED_VERSION=$(jq -r .version packages/sdk-core/package.json)
+
+          echo "PUBLISHED_VERSION=$PUBLISHED_VERSION" >> "$GITHUB_OUTPUT"
+
+          # Create redirect from root
+          mkdir sdk-core-redirect
+          printf '<!DOCTYPE html><html><head><title>Redirecting...</title><meta charset="UTF-8"><meta http-equiv="refresh" content="0;URL=%s" /><meta http-equiv="Cache-Control" content="no-store" /></head><body><p>Redirecting to latest documentation...</p></body></html>' "https://refs.superfluid.finance/sdk-core@$PUBLISHED_VERSION" \
+          > sdk-core-redirect/index.html
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload sdk-core HTML documentation
+        if: env.PUBLISH_SDK_CORE == 1
+        uses: ./build-scripts/s3cloudfront-hosting/actions/sync
+        with:
+          local_build_dir: packages/sdk-core/dist/docs
+          aws_region: eu-west-2
+          aws_access_key_id: ${{ secrets.SITE_DEPLOYER_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.SITE_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          s3_uri: ${{ format('{0}sdk-core@{1}', secrets.SITE_DEPLOYER_AWS_S3_DOCS_URI, steps.publish-sdk-core.outputs.PUBLISHED_VERSION) }}
+          cloudfront_distribution_id: E3JEO5R14CT8IH
+
+      - name: Upload sdk-core latest documentation redirect
+        if: env.PUBLISH_SDK_CORE == 1
+        uses: ./build-scripts/s3cloudfront-hosting/actions/sync
+        with:
+          local_build_dir: sdk-core-redirect
+          aws_region: eu-west-2
+          aws_access_key_id: ${{ secrets.SITE_DEPLOYER_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.SITE_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          s3_uri: ${{ format('{0}sdk-core', secrets.SITE_DEPLOYER_AWS_S3_DOCS_URI) }}
+          cloudfront_distribution_id: E3JEO5R14CT8IH
+
+      - name: Build sdk-redux package
+        if: env.PUBLISH_SDK_REDUX == 1
+        run: |
+          yarn --cwd packages/ethereum-contracts build
+          yarn --cwd packages/sdk-core get-graphql-schema:v1
+          yarn --cwd packages/sdk-core build
+          yarn --cwd packages/sdk-redux build
+          yarn --cwd packages/sdk-redux doc:html
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish sdk-redux package
+        id: publish-sdk-redux
+        if: env.PUBLISH_SDK_REDUX == 1
+        shell: bash
+        run: |
+          tasks/npm-publish.sh packages/sdk-redux/ latest
+
+          PUBLISHED_VERSION=$(jq -r .version packages/sdk-redux/package.json)
+
+          echo "PUBLISHED_VERSION=$PUBLISHED_VERSION" >> "$GITHUB_OUTPUT"
+
+          # Create redirect from root
+          mkdir sdk-redux-redirect
+          printf '<!DOCTYPE html><html><head><title>Redirecting...</title><meta charset="UTF-8"><meta http-equiv="refresh" content="0;URL=%s" /><meta http-equiv="Cache-Control" content="no-store" /></head><body><p>Redirecting to latest documentation...</p></body></html>' "https://refs.superfluid.finance/sdk-redux@$PUBLISHED_VERSION" \
+          > sdk-redux-redirect/index.html
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload sdk-redux HTML documentation
+        if: env.PUBLISH_SDK_REDUX == 1
+        uses: ./build-scripts/s3cloudfront-hosting/actions/sync
+        with:
+          local_build_dir: packages/sdk-redux/dist/docs
+          aws_region: eu-west-2
+          aws_access_key_id: ${{ secrets.SITE_DEPLOYER_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.SITE_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          s3_uri: ${{ format('{0}sdk-redux@{1}', secrets.SITE_DEPLOYER_AWS_S3_DOCS_URI, steps.publish-sdk-redux.outputs.PUBLISHED_VERSION) }}
+          cloudfront_distribution_id: E3JEO5R14CT8IH
+
+      - name: Upload sdk-redux latest documentation redirect
+        if: env.PUBLISH_SDK_REDUX == 1
+        uses: ./build-scripts/s3cloudfront-hosting/actions/sync
+        with:
+          local_build_dir: sdk-redux-redirect
+          aws_region: eu-west-2
+          aws_access_key_id: ${{ secrets.SITE_DEPLOYER_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.SITE_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          s3_uri: ${{ format('{0}sdk-redux', secrets.SITE_DEPLOYER_AWS_S3_DOCS_URI) }}
+          cloudfront_distribution_id: E3JEO5R14CT8IH