feat(ci): add trusted publisher release workflows for JS and Python SDKs by Leechael · Pull Request #686 · Dstack-TEE/dstack

Leechael · 2026-05-19T02:13:13Z

Add GitHub Actions workflows that publish to npm and PyPI using OIDC trusted publishers (no long-lived secrets).

JS SDK (js-sdk-release.yml): triggered by js-sdk-v* tags, publishes to npm with provenance. Includes npm upgrade, OIDC verification, and repository consistency checks.
Python SDK (python-sdk-release.yml): triggered by python-sdk-v* tags, builds with PDM and publishes via pypa/gh-action-pypi-publish.
Adds repository field to sdk/js/package.json — required for npm Trusted Publishers / Sigstore provenance verification.

Registry configuration needed before first publish

npm: Go to https://www.npmjs.com/package/@phala/dstack-sdk/access → Add trusted publisher with Owner Dstack-TEE, Repository dstack, Workflow js-sdk-release.yml.
PyPI: Go to https://pypi.org/manage/project/dstack-sdk/settings/publishing/ → Add trusted publisher with Owner Dstack-TEE, Repository dstack, Workflow python-sdk-release.yml.

Add GitHub Actions workflows that publish to npm and PyPI using OIDC trusted publishers (no long-lived secrets). - js-sdk-release.yml: triggered by js-sdk-v* tags, publishes to npm with provenance. Includes npm upgrade, OIDC verification, and repository consistency checks. - python-sdk-release.yml: triggered by python-sdk-v* tags, builds with PDM and publishes via pypa/gh-action-pypi-publish. - Add repository field to sdk/js/package.json (required for npm Trusted Publishers / Sigstore provenance verification).

Copilot

Pull request overview

Adds GitHub Actions release automation to publish the JS SDK to npm and the Python SDK to PyPI using OIDC trusted publishers (no long-lived registry tokens), plus small SDK metadata/config updates to support trusted publishing.

Changes:

Introduces tag-triggered release workflows for publishing JS (js-sdk-v*) to npm (with provenance) and Python (python-sdk-v*) to PyPI/TestPyPI.
Updates SDK versions and npm package metadata (repository), and bumps TS compile targets to ES2020.
Adjusts JS env var encryption key import and adds Claude local settings files under sdk/js/.claude/.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 24 comments.

Show a summary per file

File	Description
`sdk/python/pyproject.toml`	Bumps Python SDK version and minor formatting cleanup.
`sdk/js/tsconfig.json`	Raises TS compilation target to ES2020.
`sdk/js/tsconfig.node.json`	Raises Node TS compilation target to ES2020.
`sdk/js/tsconfig.browser.json`	Raises browser TS compilation target to ES2020 and trims whitespace.
`sdk/js/src/encrypt-env-vars.ts`	Tweaks WebCrypto key import input type for AES-GCM.
`sdk/js/package.json`	Bumps JS SDK version, adds `repository` metadata for npm trusted publishing, pins `typescript`.
`sdk/js/.claude/settings.local.json`	Adds Claude local permissions configuration (machine-local content).
`sdk/js/.claude/settings.local.json.license`	Adds license sidecar for the local Claude settings file.
`.github/workflows/python-sdk-release.yml`	New workflow to build (PDM) and publish Python SDK to PyPI/TestPyPI via OIDC.
`.github/workflows/js-sdk-release.yml`	New workflow to build and publish JS SDK to npm via OIDC + provenance and create a GitHub Release.

Comments suppressed due to low confidence (3)

sdk/js/src/encrypt-env-vars.ts:55

In Node.js, the crypto module does not expose subtle/getRandomValues at the top level; those live under crypto.webcrypto (or globalThis.crypto). As written, crypto.subtle will be undefined at runtime and encryption will fail.

  // Import shared key for AES-GCM
  const importedShared = await crypto.subtle.importKey(
    "raw",
    new Uint8Array(shared),
    { name: "AES-GCM", length: 256 },
    true,
    ["encrypt"],
  );

  // Encrypt the data
  const iv = crypto.getRandomValues(new Uint8Array(12));
  const encrypted = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv },
    importedShared,
    new TextEncoder().encode(envsJson),
  );

sdk/js/src/encrypt-env-vars.ts:55

In Node.js, the crypto module does not expose subtle/getRandomValues at the top level; those live under crypto.webcrypto (or globalThis.crypto). As written, crypto.subtle will be undefined at runtime and encryption will fail.

  // Import shared key for AES-GCM
  const importedShared = await crypto.subtle.importKey(
    "raw",
    new Uint8Array(shared),
    { name: "AES-GCM", length: 256 },
    true,
    ["encrypt"],
  );

  // Encrypt the data
  const iv = crypto.getRandomValues(new Uint8Array(12));
  const encrypted = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv },
    importedShared,
    new TextEncoder().encode(envsJson),
  );

sdk/js/src/encrypt-env-vars.ts:55

In Node.js, the crypto module does not expose subtle/getRandomValues at the top level; those live under crypto.webcrypto (or globalThis.crypto). As written, crypto.subtle will be undefined at runtime and encryption will fail.

  // Import shared key for AES-GCM
  const importedShared = await crypto.subtle.importKey(
    "raw",
    new Uint8Array(shared),
    { name: "AES-GCM", length: 256 },
    true,
    ["encrypt"],
  );

  // Encrypt the data
  const iv = crypto.getRandomValues(new Uint8Array(12));
  const encrypted = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv },
    importedShared,
    new TextEncoder().encode(envsJson),
  );

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- Align tsconfig lib to es2020 to match target in all three tsconfig files - Remove machine-local .claude/settings.local.json from tracking and add to .gitignore - Remove non-reproducible npm@latest install step from JS workflow - Fix JS workflow version extraction: read from package.json on workflow_dispatch, verify tag matches package.json on tag push - Fix Python workflow version extraction: read from pyproject.toml on workflow_dispatch, verify tag matches pyproject.toml on tag push

Leechael force-pushed the feat/sdk-release-workflows branch 4 times, most recently from ebdad08 to d0cc3c2 Compare May 19, 2026 08:17

Leechael added 2 commits May 19, 2026 16:45

chore(sdk/js): bump to 0.5.8-beta.0 for release workflow testing

151d384

Leechael force-pushed the feat/sdk-release-workflows branch 3 times, most recently from a6faf1f to 5032ce7 Compare May 19, 2026 09:25

chore(sdk/python): bump to 0.5.4b0 for release workflow testing

4520abf

Leechael force-pushed the feat/sdk-release-workflows branch from 5032ce7 to 4520abf Compare May 19, 2026 09:49

Leechael mentioned this pull request May 19, 2026

feat(sdk/js): align with Rust SDK and guest-agent proto #690

Merged

5 tasks

kvinwang requested a review from Copilot May 29, 2026 03:32

Copilot started reviewing on behalf of kvinwang May 29, 2026 03:32 View session

Copilot AI reviewed May 29, 2026

View reviewed changes

kvinwang approved these changes Jun 1, 2026

View reviewed changes

Leechael merged commit 5c37b25 into master Jun 1, 2026
15 checks passed

Leechael deleted the feat/sdk-release-workflows branch June 1, 2026 09:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(ci): add trusted publisher release workflows for JS and Python SDKs#686

feat(ci): add trusted publisher release workflows for JS and Python SDKs#686
Leechael merged 4 commits into
masterfrom
feat/sdk-release-workflows

Leechael commented May 19, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Leechael commented May 19, 2026

Registry configuration needed before first publish

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants