chore: publish attestations

[outerlook]

Description

Related Problem

• fix Problem: Contracts not published to NPM #11

How Has This Been Tested?

Summary by CodeRabbit

• New Features

  • Automated CI and release workflows for testing, versioning and npm publishing.
  • Project prepared for public npm distribution with version bump and publish flow.

• Documentation

  • README rewritten with installation and usage examples.
  • Added Apache 2.0 LICENSE and simplified import/docs for attestation helpers.

• Chores

  • Build/packaging and TypeScript build config added.
  • Test setup centralized and CI guards introduced.
  • Cleanup of ignore rules and build tooling updates.

[coderabbitai]

Walkthrough

Adds CI and Release GitHub Actions workflows, prepares package for public npm publishing (package.json, tsconfig.build), adds Apache-2.0 license, updates README/docs, guards Hardhat task loading behind SKIP_HARDHAT_TASKS, and centralizes test setup with a CI skip guard.

Changes

Cohort / File(s)	Summary
CI Workflows ​.github/workflows/ci.yml, ​.github/workflows/release.yml	Adds CI and release workflows: PR/push and workflow_dispatch triggers, ACT-aware Node/pnpm setup, dependency install, build/compile/contracts, tests, complex version resolution, npm publish with tag, git tagging, and GitHub release creation with collision checks.
Package & Build package.json, tsconfig.build.json	Prepares package for publishing: version → 0.1.0-beta, private:false, adds main/module/types/exports/files, publishConfig, new scripts (clean/build/prepare), and TypeScript build config to emit declarations to ./dist.
Docs & License LICENSE, README.md, docs/AttestationLibrary.md	Adds Apache-2.0 LICENSE; rebrands README to @trufnetwork/evm-contracts with install/usage examples; updates AttestationLibrary docs and import paths to package-root.
Hardhat config hardhat.config.cts	Loads ./tasks only when SKIP_HARDHAT_TASKS !== "true" and simplifies package.json write flow by removing prior try/catch around write calls.
Tests test/requestv1/OffchainLogic.test.ts	Moves hardcoded test setup into mutable vars initialized in a before hook and adds a CI skip guard to avoid running tests in CI.
Repo housekeeping .gitignore	Removes pnpm-lock.yaml from ignored files and trims trailing blank line.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Runner as Runner (ubuntu-latest / ACT)
    participant Setup as pnpm & Node Setup
    participant Install as Install deps
    participant Build as Build & Compile
    participant Test as Test Suite
    participant Version as Version Resolver
    participant NPM as npm Registry
    participant Git as Git Operations

    GH->>Runner: trigger (push / pull_request / workflow_dispatch)
    Runner->>Setup: checkout + setup pnpm
    alt ACT != "true"
        Setup->>Setup: setup Node, enable pnpm cache
        Setup->>Install: install deps (--frozen-lockfile, cached)
    else ACT == "true"
        Setup->>Install: install deps (no cache, act path)
    end
    Install->>Build: compile contracts & build
    Build->>Test: run tests (SKIP_HARDHAT_TASKS respected)
    Test->>Version: compute release version (input / tag / package)
    Version->>Runner: update package.json version
    Runner->>NPM: verify version not published
    Runner->>NPM: publish package (dist_tag)
    NPM-->>Runner: publish result
    Runner->>Git: commit bump, create & push tag
    Runner->>GH: create GitHub release

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: attestations #9: Adds TrufAttestation Solidity library, harness, TypeScript helpers and tests — strongly related to package exports and docs changes here.

Suggested reviewers

• MicBun

Poem

🐰
From burrow to branch the pipelines sing,
Workflows wake and package bells ring,
A version is picked, a tag takes flight,
Docs bloom, tests skip in CI's night,
Rabbit claps paws — release feels right!

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title "chore: publish attestations" is vague and does not fully or accurately capture the scope of changes in this PR. While the PR does involve publishing, the term "attestations" is narrow and misleading given that the actual changeset encompasses comprehensive infrastructure setup including CI/CD workflows, release automation, package configuration, documentation updates, and test modifications. The title suggests a narrow scope around attestations rather than conveying the broader objective of establishing npm publishing infrastructure for the entire contracts package.	Consider revising the title to more accurately reflect the full scope, such as "chore: set up npm publishing and CI/CD workflows" or "chore: prepare package for npm publication." This would better convey that the PR establishes publishing infrastructure rather than focusing narrowly on attestations.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues Check	✅ Passed	The linked issue #11 requests that contracts be published to NPM. The PR addresses this requirement through several key changes: the new release.yml workflow includes npm publish steps with version management and authentication, package.json is reconfigured with private: false, publishConfig with public access, and proper exports and files fields for npm distribution. Additionally, a LICENSE file is added (required for publication), CI workflows are established for testing, and documentation is updated. These changes collectively provide the infrastructure needed to publish contracts to npm, aligning with the core objective of issue #11.
Out of Scope Changes Check	✅ Passed	The changes in this PR are focused on establishing npm publishing infrastructure and supporting CI/CD capabilities. The workflow files (ci.yml, release.yml), package.json configuration updates, LICENSE addition, and documentation modifications all directly support the publishing objective. Supporting changes like the test CI guard (skipping tests in CI environments), TypeScript build configuration (tsconfig.build.json), and hardhat configuration adjustments are necessary infrastructure to enable safe and reliable publishing. The .gitignore removal of pnpm-lock.yaml aligns with publishing best practices. These changes do not represent significant scope creep outside the publishing objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/pub-att

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81e3dbb and c694c37.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• .gitignore (0 hunks)

💤 Files with no reviewable changes (1)

• .gitignore

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

hardhat.config.cts (1)

17-45: Duplicate subtask definitions—only the second takes effect.

Two separate subtask(TASK_COMPILE_SOLIDITY).setAction(...) blocks are defined. Hardhat will only honor the last one, so the first block (writing to artifacts/package.json) is effectively dead code.

If both package.json files are required, merge them into a single subtask:

-subtask(TASK_COMPILE_SOLIDITY).setAction(async (_, { config }, runSuper) => {
-  const superRes = await runSuper();
-
-  try {
-    await writeFile(
-      join(config.paths.artifacts, "package.json"),
-      '{ "type": "commonjs" }'
-    );
-  } catch (error) {
-    console.error("Error writing package.json: ", error);
-  }
-
-  return superRes;
-});
-
 subtask(TASK_COMPILE_SOLIDITY).setAction(async (_, { config }, runSuper) => {
   const superRes = await runSuper();
 
   try {
+    await writeFile(
+      join(config.paths.artifacts, "package.json"),
+      '{ "type": "commonjs" }'
+    );
     await writeFile(
       join(config.paths.root, "typechain-types", "package.json"),
       '{ "type": "commonjs" }'
     );
   } catch (error) {
     console.error("Error writing package.json: ", error);
   }
 
   return superRes;
 });

🧹 Nitpick comments (4)

test/requestv1/OffchainLogic.test.ts (1)

8-32: Merge duplicate before hooks.

The CI skip guard and variable initialization are both appropriate, but having two separate before() hooks at the same level violates best practices and triggers the static analyzer.

Combine them into a single hook:

-  before(async function () {
-    if (process.env.CI) {
-      this.skip();
-    }
-  });
   // Test setup
   let dataProviderAddress: string;
   let streamId: string;
   let secrets: {
     PRIVATE_KEY: string;
   };
   let source: string;
   let abiCoder: ethers.AbiCoder;
-

-

-  before(async function () {
+  
+  before(async function () {
+    if (process.env.CI) {
+      this.skip();
+    }
+    
     dataProviderAddress = "0x4710a8d8f0d845da110086812a32de6d90d7ff5c";
     streamId = "stfcfa66a7c2e9061a6fac8b32027ee8";
     secrets = {
       PRIVATE_KEY: getEnv("TN_READER_PRIVATE_KEY")
     };
     source = getSource("requestv1");
     abiCoder = ethers.AbiCoder.defaultAbiCoder();
   });

As per static analysis hints.

.github/workflows/ci.yml (1)

12-12: Use event_name to explicitly guard access to pull_request context.

The condition works correctly for both push and pull_request events, but it doesn't follow GitHub Actions best practices. For pull_request events, github.event.pull_request is populated with properties like draft; for push events, it's absent and treated as null. Best practice is to check the event name before using pull_request-specific properties.

The suggested refactor makes intent explicit and avoids null property access:

-    if: github.event.pull_request.draft == false || github.event.pull_request == null
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false

This clearly expresses the logic: run on all push events, or on non-draft pull requests.

.github/workflows/release.yml (2)

127-145: Reconsider || true on git add to avoid masking errors.

Line 139 uses || true to suppress errors from git add, which also hides permission or filesystem failures—not just the benign "nothing to add" case. The subsequent git diff --cached --quiet check handles the no-changes case, but errors are still silently swallowed.

Consider refactoring to explicitly handle the no-changes case:

- git add package.json pnpm-lock.yaml || true
- if git diff --cached --quiet; then
+ if ! git add package.json pnpm-lock.yaml; then
+   echo "Warning: git add failed; proceeding anyway"
+ fi
+ if git diff --cached --quiet; then

Alternatively, if these files are expected to always exist, remove || true and let failures surface.

---

170-184: Prerelease flag logic has a redundant condition.

Line 179 checks both != "latest" and -n "${{ github.event.inputs.dist_tag }}", but since dist_tag defaults to "beta" (line 13), the emptiness check is unnecessary.

Simplify to:

- if [[ "${{ github.event.inputs.dist_tag }}" != "latest" && -n "${{ github.event.inputs.dist_tag }}" ]]; then
+ if [[ "${{ github.event.inputs.dist_tag }}" != "latest" ]]; then

This is a minor clarity improvement with no behavioral change.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22ca79d and 900ccc8.

📒 Files selected for processing (9)

• .github/workflows/ci.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• LICENSE (1 hunks)
• README.md (1 hunks)
• docs/AttestationLibrary.md (3 hunks)
• hardhat.config.cts (1 hunks)
• package.json (2 hunks)
• test/requestv1/OffchainLogic.test.ts (1 hunks)
• tsconfig.build.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-20T15:59:08.068Z

Learnt from: outerlook
PR: trufnetwork/evm-contracts#9
File: contracts/attestation/TrufAttestation.sol:151-161
Timestamp: 2025-10-20T15:59:08.068Z
Learning: The TrufAttestation library in contracts/attestation/TrufAttestation.sol intentionally does not impose upper bounds on decoded datapoints or other business logic constraints, leaving such validation to consumer contracts that have specific use-case requirements.

Applied to files:

• docs/AttestationLibrary.md

🧬 Code graph analysis (1)

test/requestv1/OffchainLogic.test.ts (2)

test/helpers/environment.ts (1)

• getEnv (5-11)

src/getSource.ts (1)

• getSource (25-38)

🪛 Biome (2.1.2)

test/requestv1/OffchainLogic.test.ts

[error] 24-32: Disallow duplicate setup and teardown hooks.

Disallow before duplicacy inside the describe function.

(lint/suspicious/noDuplicateTestHooks)

🔇 Additional comments (14)

LICENSE (1)

1-13: LGTM!

The Apache License 2.0 is appropriate for this project, and the copyright notice is correctly formatted.

hardhat.config.cts (1)

13-15: LGTM!

The conditional task loading based on SKIP_HARDHAT_TASKS is a good optimization for CI environments where tasks aren't needed.

tsconfig.build.json (1)

1-17: LGTM!

The build configuration is well-structured for a published library. ES2020 target, declaration output to dist, and proper exclusions are all appropriate.

docs/AttestationLibrary.md (2)

3-3: LGTM!

The updated installation guidance with the npm package name is clear and aligns with the new publishing setup.

---

54-54: LGTM!

The import path change from @trufnetwork/evm-contracts/src to @trufnetwork/evm-contracts correctly reflects the package.json exports configuration.

README.md (1)

1-46: LGTM!

The README restructuring clearly presents the package's primary purpose (attestation verification) while maintaining backward compatibility documentation for legacy Chainlink Functions tooling. Installation instructions and usage examples are helpful.

.github/workflows/ci.yml (1)

46-57: LGTM!

The compile, build, and test steps are properly structured. Setting SKIP_HARDHAT_TASKS=true during compilation and testing correctly aligns with the conditional task loading in hardhat.config.cts.

package.json (3)

3-10: LGTM!

Version bump to 0.1.0-beta, setting private: false, and adding repository metadata are all appropriate for preparing the package for public npm publishing.

---

15-16: JSON syntax error: missing comma.

Line 15 is missing a trailing comma, which will cause a parse error.

Apply this fix:

-    "prepare": "pnpm run build",
+    "prepare": "pnpm run build",
   "test": "hardhat test test/attestation/TrufAttestation.test.ts test/attestation/TrufAttestationConsumer.test.ts"

Likely an incorrect or invalid review comment.

---

53-72: Package distribution configuration is correctly structured.

The files array includes all necessary artifacts, and the main, module, types, and exports entries properly reference the built output. The tsconfig.build.json is configured with "outDir": "./dist" and "declaration": true, ensuring that dist/index.js and dist/index.d.ts will be generated during the build process. The prepare script automatically runs the build before publishing, so the distribution artifacts will be present at publish time.

.github/workflows/release.yml (4)

1-71: Setup and configuration look solid.

The workflow trigger, permissions, concurrency handling, and Node.js setup are well-structured. The ACT-conditional paths (for local act testing) maintain consistency with your CI workflow patterns. The explicit version pins (pnpm v9, Node v22) are good practice.

---

72-98: Version computation logic is comprehensive.

The multi-branch logic (explicit version → dist_tag channel → auto-patch) covers release scenarios well. The pre-release format (v{BASE_VERSION}-{CHANNEL}.{SHORT_SHA}, e.g., v0.1.0-beta.abc1234) is valid semver, though note that dots in pre-release identifiers may interact unexpectedly with some semver tooling. If this aligns with your project's versioning conventions, no action needed.

Please confirm this pre-release format aligns with your project's versioning strategy and any downstream consumer expectations.

---

106-126: Verify npm version supports --provenance flag.

Line 125 uses --provenance which requires npm ≥10.8.3. While Node v22 typically includes a recent npm, ubuntu-latest is a moving target and may not guarantee this version. Consider either:

• Pinning npm version in the setup step, or
• Testing in the act environment to confirm availability.

Please verify or add an npm version check to ensure --provenance support before publishing.

---

147-168: Git tag and release safeguards are well‑implemented.

The checks to ensure tags don't already exist (lines 147–160) and the clean tag/push logic (lines 162–168) are solid. The GitHub release creation with conditional prerelease flag (lines 170–184) is appropriate.

[holdex]

Time Submission Status

Member	Status	Time	Action	Last Update
outerlook	✅ Submitted	4h	Update time	Oct 21, 2025, 6:15 PM
MicBun	✅ Submitted	15min	Update time	Oct 21, 2025, 6:15 PM

[MicBun]

lgtm

[MicBun]

The CI is failing will you fix it here, or be fixed in another issue? @outerlook

[outerlook]

thanks for spotting, @MicBun, now fixed

[MicBun]

lgtm