cjroth · cjroth · May 9, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,105 @@
+name: CI
+
+# All third-party actions are pinned to a full commit SHA (40-char hex)
+# so a compromised release tag can't silently slip into our pipelines.
+# The trailing comment names the upstream tag the SHA was resolved from
+# at the time of pinning. To bump, run:
+#   git ls-remote https://github.com/<owner>/<repo> refs/tags/<tag>^{}
+# and replace both the SHA and the comment.
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  rust:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+        with:
+          components: clippy, rustfmt
+          targets: wasm32-unknown-unknown
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+      - name: Format check
+        run: cargo fmt --all -- --check
+      - name: Clippy (advisory)
+        run: cargo clippy --workspace --all-targets || true
+      - name: Test (native, locked deps)
+        # --locked enforces Cargo.lock and refuses any version not pinned
+        # there. Combined with deps:cargo (below) this gives us a partial
+        # equivalent of "minimum-release-age": no automatic resolution to
+        # freshly-published versions on CI runs.
+        run: cargo test --workspace --locked
+      - name: Wasm32 build sanity
+        run: cargo check -p agentsync-core -p agentsync-wasm --target wasm32-unknown-unknown --locked
+
+  deps-cargo:
+    # Cargo doesn't (yet) implement a minimum-release-age — see
+    # rust-lang/cargo#15973. The closest practical defenses are:
+    #   1. `--locked` builds (we do this above and in publish workflows).
+    #   2. cargo-deny's advisories + yanked + bans checks.
+    # When the cargo feature lands we should switch to it.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+      - uses: taiki-e/install-action@cca35edeb1d01366c2843b68fc3ca441446d73d3  # v2
+        with:
+          tool: cargo-deny
+      - run: cargo deny --all-features check advisories bans sources
+
+  sdk:
+    runs-on: ubuntu-latest
+    needs: rust
+    defaults:
+      run:
+        working-directory: sdks/typescript
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+        with:
+          targets: wasm32-unknown-unknown
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2
+        with:
+          bun-version: latest
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
+        with:
+          node-version: '22'
+      - uses: jetli/wasm-pack-action@0d096b08b4e5a7de8c28de67e11e945404e9eefa  # v0.4.0
+        with:
+          version: 'latest'
+
+      - name: Install deps
+        # bunfig.toml sets minimumReleaseAge = 604800 (7d). --frozen-lockfile
+        # then enforces that the lockfile we ship was already produced under
+        # that policy.
+        run: bun install --frozen-lockfile
+
+      - name: Build wasm + ts
+        run: bun run build
+
+      - name: Lint
+        run: bun run lint
+
+      - name: Typecheck
+        run: bun run typecheck
+
+      - name: Unit tests
+        run: bun test test/unit
+
+      - name: Build CLI for e2e
+        working-directory: ${{ github.workspace }}
+        run: cargo build --release --bin agentsync --locked
+
+      - name: E2E tests
+        env:
+          AGENTSYNC_BIN: ${{ github.workspace }}/target/release/agentsync
+        run: bun run test:e2e
diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
@@ -0,0 +1,106 @@
+name: Publish to crates.io
+
+# Mirrors the npm flow: every push to main publishes a pre-release
+# `<base>-<sha>` build, every `v*` tag publishes a real release. The
+# wasm crate ships through npm via publish-npm.yml, not crates.io.
+#
+# Third-party actions are SHA-pinned; see ci.yml for the bump procedure.
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  workflow_dispatch:
+
+concurrency:
+  group: publish-crates-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+        with:
+          components: clippy, rustfmt
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+      - uses: taiki-e/install-action@cca35edeb1d01366c2843b68fc3ca441446d73d3  # v2
+        with:
+          tool: cargo-deny
+      - name: Format check
+        run: cargo fmt --all -- --check
+      - name: Clippy
+        # The pre-existing repo carries some clippy lints we haven't
+        # cleaned up; gate publishing on tests instead of style. Run
+        # clippy as advisory.
+        run: cargo clippy --workspace --all-targets || true
+      - name: Test
+        run: cargo test --workspace --locked
+      - name: cargo-deny
+        # Cargo has no native minimum-release-age (rust-lang/cargo#15973);
+        # cargo-deny's advisories + bans + sources is the closest defense
+        # we can apply uniformly. New deps must be added to deny.toml.
+        run: cargo deny --all-features check advisories bans sources
+
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+
+      - uses: taiki-e/install-action@cca35edeb1d01366c2843b68fc3ca441446d73d3  # v2
+        with:
+          tool: cargo-edit
+
+      - name: Determine version
+        id: version
+        run: |
+          set -euo pipefail
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            VERSION="${GITHUB_REF_NAME#v}"
+          else
+            BASE=$(grep -E '^version\s*=\s*"' Cargo.toml | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+            SHA=$(git rev-parse --short HEAD)
+            VERSION="${BASE}-${SHA}"
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Publishing version: $VERSION"
+
+      - name: Set workspace version
+        # cargo-edit's --workspace updates each member, but does NOT update
+        # path+version dependencies between members (e.g. cli depends on
+        # core). Bumping each crate's manifest individually would do that
+        # via --bump, but here we want an explicit value, so do it manually
+        # for the inter-member edges.
+        run: |
+          cargo set-version --workspace "${{ steps.version.outputs.version }}"
+          cargo set-version --package agentsync-core "${{ steps.version.outputs.version }}"
+
+      - name: Publish agentsync-core
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        run: cargo publish -p agentsync-core --allow-dirty --locked
+
+      - name: Wait for crates.io to index core
+        run: |
+          for i in $(seq 1 30); do
+            if curl -fsSL "https://crates.io/api/v1/crates/agentsync-core/${{ steps.version.outputs.version }}" >/dev/null; then
+              echo "indexed"
+              exit 0
+            fi
+            sleep 5
+          done
+          echo "timed out waiting for crates.io to index agentsync-core"
+          exit 1
+
+      - name: Publish agentsync-cli
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        run: cargo publish -p agentsync-cli --allow-dirty --locked
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -0,0 +1,112 @@
+name: Publish @agentsync/sdk to npm
+
+# Mirrors publish-crates.yml: every main push publishes
+# `<base>-<sha>` under the `next` dist-tag; every v* tag publishes the
+# tagged version under `latest`.
+#
+# Third-party actions are SHA-pinned. bunfig.toml gates dependency
+# installs on minimumReleaseAge = 7d.
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  workflow_dispatch:
+
+concurrency:
+  group: publish-npm-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write   # for npm provenance
+
+    defaults:
+      run:
+        working-directory: sdks/typescript
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-08
+        with:
+          targets: wasm32-unknown-unknown
+
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+        with:
+          workspaces: '. -> target'
+
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2
+        with:
+          bun-version: latest
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install wasm-pack
+        uses: jetli/wasm-pack-action@0d096b08b4e5a7de8c28de67e11e945404e9eefa  # v0.4.0
+        with:
+          version: 'latest'
+
+      - name: Install binaryen (wasm-opt)
+        run: |
+          set -e
+          VER=version_119
+          curl -fsSL "https://github.com/WebAssembly/binaryen/releases/download/${VER}/binaryen-${VER}-x86_64-linux.tar.gz" \
+            | sudo tar xz -C /opt
+          sudo ln -sf "/opt/binaryen-${VER}/bin/wasm-opt" /usr/local/bin/wasm-opt
+          wasm-opt --version
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build wasm + ts
+        run: bun run build
+
+      - name: Lint
+        run: bun run lint
+
+      - name: Typecheck
+        run: bun run typecheck
+
+      - name: Unit tests
+        run: bun test test/unit
+
+      - name: Build CLI for e2e
+        working-directory: ${{ github.workspace }}
+        run: cargo build --release --bin agentsync --locked
+
+      - name: E2E tests against real hub
+        env:
+          AGENTSYNC_BIN: ${{ github.workspace }}/target/release/agentsync
+        run: bun run test:e2e
+
+      - name: Determine version + npm tag
+        id: version
+        run: |
+          set -euo pipefail
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            VERSION="${GITHUB_REF_NAME#v}"
+            NPM_TAG=latest
+          else
+            BASE=$(node -p "require('./package.json').version")
+            SHA=$(git rev-parse --short HEAD)
+            VERSION="${BASE}-${SHA}"
+            NPM_TAG=next
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=$NPM_TAG" >> "$GITHUB_OUTPUT"
+          echo "Publishing $VERSION under @${NPM_TAG}"
+
+      - name: Set package version
+        run: npm version --no-git-tag-version --allow-same-version "${{ steps.version.outputs.version }}"
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --tag "${{ steps.version.outputs.tag }}" --provenance