Add workflow to publish package distributions

[Dargon789]

Summary by Sourcery

CI:

• Introduce a Publish Dists workflow that builds packages, rewrites workspace dependencies for published packages, and force-pushes the resulting dist contents to per-package dist branches.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Dec 26, 2025 7:55pm
sequence-js-web	Ready	Preview, Comment	Dec 26, 2025 7:55pm
sequence.js	Ready	Preview, Comment	Dec 26, 2025 7:55pm
wagmi-project	Ready	Preview, Comment	Dec 26, 2025 7:55pm

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Reviewer's Guide

Introduces a GitHub Actions workflow that builds specific packages and publishes their built distributions to dedicated dist branches, rewriting workspace dependencies to point at those dist branches before force-pushing them to the repository.

Sequence diagram for triggering and executing the dist publishing workflow

sequenceDiagram
  actor Dev
  participant GitHub
  participant Workflow_Publish_Dists as Workflow_Publish_Dists
  participant Runner as GitHub_Runner
  participant Repo as GitHub_Repository

  Dev->>GitHub: Push to master or manual workflow_dispatch
  GitHub->>Workflow_Publish_Dists: Trigger workflow
  Workflow_Publish_Dists->>Runner: Start job build-and-push

  Runner->>Repo: actions/checkout@v4 (fetch-depth 0)
  Runner->>Runner: Run install-dependencies action
  Runner->>Runner: Run pnpm run build

  loop For each PACKAGE in PACKAGES
    Runner->>Runner: Copy packages/PACKAGE to /tmp/PACKAGE
    Runner->>Runner: git init and checkout branch dists/PACKAGE
    Runner->>Runner: Rewrite workspace deps in package.json
    Runner->>Repo: git push -f HEAD:dists/PACKAGE using GITHUB_TOKEN
  end

  Runner-->>Workflow_Publish_Dists: Job build-and-push completed
  Workflow_Publish_Dists-->>GitHub: Report workflow status
  GitHub-->>Dev: Show workflow result in checks

Loading

Flow diagram for per-package dist branch preparation and publishing

flowchart TD
  A[Start job build-and-push] --> B[Checkout repo with fetch-depth 0]
  B --> C[Install dependencies via local action]
  C --> D[Run pnpm run build]
  D --> E[Iterate PACKAGES array]

  subgraph Loop_per_PACKAGE
    direction TB
    E --> F[Set BRANCH to dists/PACKAGE and PKG_DIR to packages/PACKAGE]
    F --> G[Create temp dir /tmp/PACKAGE]
    G --> H[Copy PKG_DIR contents to temp dir]
    H --> I[cd into /tmp/PACKAGE]
    I --> J[git init]
    J --> K[git checkout -b BRANCH]
    K --> L[Configure git user github-actions]
    L --> M[Run node script to rewrite workspace deps in package.json]
    M --> N[git add .]
    N --> O[git commit -m Build: publish PACKAGE dist]
    O --> P[git remote add origin with GITHUB_TOKEN]
    P --> Q[git push -f origin HEAD:BRANCH]
    Q --> R[cd back]
    R --> E
  end

  E --> S[All packages processed]
  S --> T[End job]

Loading

File-Level Changes

Change	Details	Files
Add a GitHub Actions workflow to build selected packages and publish their dist contents to dedicated branches with rewritten dependency versions.	Define a Publish Dists for Packages workflow triggered on pushes to master and manual dispatch, running on ubuntu-latest. Check out the repository with full history and install dependencies using the shared install-dependencies composite action. Build the monorepo packages via pnpm run build before publishing. For each configured package path, copy its built contents to a temp directory, initialize a git repository, and create a branch named dists/. Run a Node script to rewrite workspace: dependencies in package.json to GitHub repo-based versions targeting corresponding dist branches. Configure git identity, commit the package contents, and force-push each branch to the origin remote under dists/.	.github/workflows/Publish-Dists.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• The bash step that copies and cd’s into package directories should quote variable expansions (e.g. cp -r "$PKG_DIR"/* "/tmp/$PACKAGE", cd "/tmp/$PACKAGE") to avoid issues if paths ever contain spaces or unexpected globbing.
• The Node script only rewrites dependencies; if any of these packages reference workspace versions via devDependencies, peerDependencies, or optionalDependencies, consider extending rewrite to cover those fields as well to keep dependency specs consistent across the dist branches.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The bash step that copies and cd’s into package directories should quote variable expansions (e.g. `cp -r "$PKG_DIR"/* "/tmp/$PACKAGE"`, `cd "/tmp/$PACKAGE"`) to avoid issues if paths ever contain spaces or unexpected globbing.
- The Node script only rewrites `dependencies`; if any of these packages reference workspace versions via `devDependencies`, `peerDependencies`, or `optionalDependencies`, consider extending `rewrite` to cover those fields as well to keep dependency specs consistent across the dist branches.

## Individual Comments

### Comment 1
<location> `.github/workflows/Publish-Dists.yml:24` </location>
<code_context>
+        run: pnpm run build
+
+      - name: Prepare dist branch
+        run: |
+          PACKAGES=("services/guard" "services/identity-instrument" "services/relayer" "wallet/core" "wallet/primitives" "wallet/wdk" "wallet/dapp-client")
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Consider making the shell block fail-fast for safer publishing.

Because the script doesn’t fail on all errors (aside from the explicit `|| true`), a partial or broken publish could slip through. Add `set -euo pipefail` at the top of this `run` block so unexpected failures (git/node/publish) stop the workflow instead of continuing.

Suggested implementation:

```
      - name: Prepare dist branch
        run: |
          set -euo pipefail

          PACKAGES=("services/guard" "services/identity-instrument" "services/relayer" "wallet/core" "wallet/primitives" "wallet/wdk" "wallet/dapp-client")

```

If there are further commands that were supposed to be in this `Prepare dist branch` step (e.g., git operations, build/publish commands), they should be appended below the `PACKAGES=(...)` line inside the same `run: |` block so that they also benefit from `set -euo pipefail`.
</issue_to_address>

### Comment 2
<location> `.github/workflows/Publish-Dists.yml:31-35` </location>
<code_context>
+            echo "📦 Publishing $PACKAGE to $BRANCH"
+
+            mkdir -p /tmp/$PACKAGE
+            shopt -s dotglob
+            cp -r $PKG_DIR/* /tmp/$PACKAGE || true
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Avoid relying on bash-specific `shopt` without explicitly pinning the shell.

This step depends on `shopt -s dotglob`, which only works in bash. While `ubuntu-latest` currently defaults to bash, that’s an implicit assumption. To make this robust, either set `shell: bash` for the step or use a more portable pattern like `cp -r "$PKG_DIR"/. "/tmp/$PACKAGE"` so it doesn’t break if the default shell changes.

```suggestion
            echo "📦 Publishing $PACKAGE to $BRANCH"

            mkdir -p "/tmp/$PACKAGE"
            cp -r "$PKG_DIR"/. "/tmp/$PACKAGE" || true
```
</issue_to_address>

### Comment 3
<location> `.github/workflows/Publish-Dists.yml:66-68` </location>
<code_context>
+                  if (deps[k].startsWith("workspace:")) {
+                    const version = versions[k];
+                    
+                    if (!version) {
+                      console.warn(`No version found for ${k}, skipping...`);
+                      continue;
+                    }
+
</code_context>

<issue_to_address>
**issue (bug_risk):** Leaving unknown workspace: deps unchanged may produce invalid published packages.

If a `workspace:` dependency key isn’t in `versions`, it’s only logged and left unchanged. That means the published `package.json` can still contain `workspace:` ranges, which package managers can’t install. Please either fail in this case or replace these with a valid fallback / skip publishing that package so that all published artifacts are installable.
</issue_to_address>

### Comment 4
<location> `.github/workflows/Publish-Dists.yml:77-78` </location>
<code_context>
+                }
+              };
+
+              rewrite(pkg.dependencies);
+              fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2));
+            '
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Only transforming `dependencies` may miss other workspace references.

The current rewrite only covers `pkg.dependencies`, so any `workspace:` entries in `devDependencies`, `peerDependencies`, or `optionalDependencies` will remain unchanged and unusable in the dist output. Consider invoking `rewrite` for each of these fields to ensure all workspace references are handled consistently.

```suggestion
              ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies'].forEach((field) => {
                if (pkg[field]) {
                  rewrite(pkg[field]);
                }
              });
              fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2));
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}