chore: explicit oprf-node release#726
Conversation
paolodamico
requested review from
a team,
0xThemis,
dkales,
fabian1409 and
philsippl
as code owners
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 79b5f135e7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ada9887. Configure here.
| exit 0 | ||
| fi | ||
|
|
||
| before_version="$(git show "$BEFORE_SHA:services/oprf-node/Cargo.toml" 2>/dev/null | sed -n 's/^version = "\(.*\)"/\1/p' | head -n1)" |
There was a problem hiding this comment.
pipefail causes script exit on unreachable BEFORE_SHA
Low Severity
With set -euo pipefail, if git show fails (e.g., BEFORE_SHA is unreachable after a force push or is the null SHA), the pipeline's exit status propagates as non-zero due to pipefail. Since before_version="$(failing_pipeline)" is a simple variable assignment, set -e causes the script to exit immediately rather than continuing to the [ -z "$before_version" ] check that was clearly designed to handle this case gracefully. The 2>/dev/null only suppresses stderr, not the exit code.
Reviewed by Cursor Bugbot for commit ada9887. Configure here.
2 participants
Introduces an explicit workflow to generate and publish releases to the oprf-node images, instead of building on every push to main.
Note
Medium Risk
Moderate risk because it changes CI/CD behavior for
oprf-node, including tagging/releases and container publishing conditions, which could impact delivery if misconfigured.Overview
Stops building/publishing the
oprf-nodeimage as part of the genericbuild-dockermatrix, leaving onlyindexerandgatewaythere.Adds two GitHub Actions workflows for
oprf-node: a manualPrepare OPRF Node Releaseworkflow that opens arelease-plzrelease PR, and an on-mainPublish OPRF Node Releaseworkflow that detects aservices/oprf-node/Cargo.tomlversion bump, creates the GitHub release/tag, and then builds/attests and pushesghcr.io/.../world-id-oprf-nodewithlatestand version tags.Bumps
world-id-oprf-nodefrom0.1.0to0.2.0(workspace + lockfile), marks the cratepublish = false, and introducesservices/oprf-noderelease metadata/docs (release-plz.toml,CHANGELOG.md,README.md).Reviewed by Cursor Bugbot for commit ada9887. Bugbot is set up for automated code reviews on this repo. Configure here.