Conversation
Replace the broken NPM_TOKEN-based publish path with npm OIDC Trusted Publishing. The token belonged to a pinax-network bot that no longer has publish rights on @graphprotocol/graph-cli, causing snapshot releases to fail with E404 despite valid OIDC provenance being signed. Consolidate stable releases and alpha/rc snapshots into a single publish.yml because npmjs.com Trusted Publisher accepts only one workflow filename per package. Move auto-changesets for Renovate PRs to mscharley/dependency-changesets-action (actively maintained); the old the-guild-org upstream is unmaintained since 2023. Drop all pinax-network infrastructure: actions, bot identity, GPG signing secrets, and the misnamed "shared" workflow files (they were only used by this repo). Bot commits are now authored by github-actions[bot] and signed by GitHub's web-flow key via changesets/action, preserving the "Verified" badge. Requires Trusted Publisher to be registered on npmjs.com for both @graphprotocol/graph-cli and @graphprotocol/graph-ts before merging, pointing at workflow filename publish.yml. The NPM_TOKEN, PINAX_BOT_GITHUB_TOKEN, and PINAX_BOT_PGP_* secrets can be removed from repo settings after the first stable release succeeds.
🦋 Changeset detectedLatest commit: 7fe67ac The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
- Lift the release commit message into an env var so the inline `chore(release):` colon no longer breaks YAML's plain-scalar rules in `if:` conditions (prettier's parser was rejecting the file). - Drop `githubReleaseName` and `githubReleaseAssets` — those were pinax-fork extensions, not inputs on upstream `changesets/action@v1`. - Re-add asset upload as a follow-up step using `gh release upload`, gated on `steps.changesets.outputs.published`. Recent stable releases (0.97.0, 0.98.0) had hundreds of binary downloads, so this behavior should not regress.
Deploying graph-tooling with
|
| Latest commit: |
7fe67ac
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://82349e85.graph-tooling.pages.dev |
| Branch Preview URL: | https://lutter-ci.graph-tooling.pages.dev |
`@changesets/changelog-github` (the configured changelog generator) calls the GitHub REST API to enrich entries with PR and user info, and fails closed with `Please create a GitHub personal access token` when no token is set. The old pinax snapshot action injected GITHUB_TOKEN implicitly; the inlined version has to set it explicitly on the version and publish steps. The "Package X must depend on the current version" messages in the same log are harmless warnings about ignored example packages (.changeset/config.json: ignore=[example-*]) and were also present in the prior pinax-driven runs.
GitHub will force Node.js 20 actions to Node.js 24 starting 2026-06-02 and remove Node 20 from runners on 2026-09-16. The deprecation warning called out two actions used by the composite setup-node: - pnpm/action-setup@v4.2.0 → bumped to v6 (drop-in; same inputs). - styfle/cancel-workflow-action@0.12.1 → removed entirely. It's been superseded by GitHub's built-in `concurrency:` keyword. Add matching concurrency groups to ci.yml (cancel PR runs, preserve main) and changeset-deps.yml (cancel per-PR). publish.yml already has concurrency on both jobs. Also pin mscharley/dependency-changesets-action to v1.2.4 — the action publishes specific patch tags but no floating v1.
The hardhat node in examples/ethereum-basic-event-handlers/hardhat runs with `"hardhat": "^2.22.1"` and no lockfile, so each CI run picks the latest matching release (currently 2.28.6). Hardhat 2.26+ defaults to the Prague hardfork, which enforces EIP-7825's per- transaction gas cap of 2^24 (16,777,216). The test contract deploy needs ~30M gas and gets rejected with `ProviderError: Transaction gas limit is 30000000 and exceeds transaction gas cap of 16777216`. Pinning the in-container network's hardfork to `cancun` restores pre-EIP-7825 behavior without locking the hardhat version.
…round Link #2127 from the cancun-hardfork comment so anyone touching the file finds the tracking ticket for the proper fix (deterministic hardhat version via lockfile or pinned version).
Node 20 reached EOL on 2026-04-30. Bump the declared minimum to Node 22 (22.11.0 for the CLI package), replace Node 20 with Node 22 in the single-version CI jobs, and shift the CLI test matrix from [20, 22] to [22, 24] so what we test matches what publish.yml already ships on.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrate publishing to npm Trusted Publishing (OIDC) and remove all pinax-network infrastructure from CI.
The Snapshot Release workflow has been failing on every PR with E404 Not Found - PUT https://registry.npmjs.org/@graphprotocol%2fgraph-cli. Root cause: the NPM_TOKEN belongs to a pinax-network bot that no longer has publish rights on the package (current _npmUser is
yaroshkvorets; registered maintainers are nasmr and neysofu, none of which are graphprotocol accounts). The OIDC handshake succeeds and provenance is signed and uploaded to sigstore — only the actual PUT to the registry fails because it uses the stale token.
This change:
Net diff: 6 files, +151 / −278 lines of YAML.
Test plan