From db7c75752d67183669dd0bcb50ed3ec5e36d879c Mon Sep 17 00:00:00 2001
From: pd <paolodamico@users.noreply.github.com>
Date: Tue, 12 May 2026 13:44:20 -0700
Subject: [PATCH 1/3] chore: explicit oprf-node release

---
 .github/workflows/build-docker.yml            |   1 -
 .../workflows/prepare-oprf-node-release.yml   |  32 +++++
 .github/workflows/release-oprf-node.yml       | 122 ++++++++++++++++++
 services/oprf-node/CHANGELOG.md               |   8 ++
 services/oprf-node/Cargo.toml                 |   3 +-
 services/oprf-node/README.md                  |  16 +++
 services/oprf-node/release-plz.toml           |  18 +++
 7 files changed, 198 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/prepare-oprf-node-release.yml
 create mode 100644 .github/workflows/release-oprf-node.yml
 create mode 100644 services/oprf-node/CHANGELOG.md
 create mode 100644 services/oprf-node/README.md
 create mode 100644 services/oprf-node/release-plz.toml

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 0420490f9..09d8e3cce 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -19,7 +19,6 @@ jobs:
         service:
           - indexer
           - gateway
-          - oprf-node
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/prepare-oprf-node-release.yml b/.github/workflows/prepare-oprf-node-release.yml
new file mode 100644
index 000000000..37277b11d
--- /dev/null
+++ b/.github/workflows/prepare-oprf-node-release.yml
@@ -0,0 +1,32 @@
+name: Prepare OPRF Node Release
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  prepare-oprf-node-release:
+    name: Prepare OPRF Node Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
+        with:
+          toolchain: stable
+
+      - name: Run release-plz release-pr
+        uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5.128 (https://github.com/release-plz/action/releases/tag/v0.5.128)
+        with:
+          command: release-pr
+          config: services/oprf-node/release-plz.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-oprf-node.yml b/.github/workflows/release-oprf-node.yml
new file mode 100644
index 000000000..fdadeda41
--- /dev/null
+++ b/.github/workflows/release-oprf-node.yml
@@ -0,0 +1,122 @@
+name: Publish OPRF Node Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  publish-oprf-node-release:
+    name: Publish OPRF Node Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+      attestations: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Detect merged OPRF node version bump
+        id: version-bump
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          AFTER_SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+
+          if git diff --quiet "$BEFORE_SHA" "$AFTER_SHA" -- services/oprf-node/Cargo.toml; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          before_version="$(git show "$BEFORE_SHA:services/oprf-node/Cargo.toml" 2>/dev/null | sed -n 's/^version = "\(.*\)"/\1/p' | head -n1)"
+          after_version="$(sed -n 's/^version = "\(.*\)"/\1/p' services/oprf-node/Cargo.toml | head -n1)"
+
+          if [ -z "$before_version" ] || [ -z "$after_version" ] || [ "$before_version" = "$after_version" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+          echo "from=$before_version" >> "$GITHUB_OUTPUT"
+          echo "to=$after_version" >> "$GITHUB_OUTPUT"
+
+      - name: Install Rust toolchain
+        if: steps.version-bump.outputs.changed == 'true'
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
+        with:
+          toolchain: stable
+
+      - name: Run release-plz release
+        if: steps.version-bump.outputs.changed == 'true'
+        id: release-plz
+        uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5.128 (https://github.com/release-plz/action/releases/tag/v0.5.128)
+        with:
+          command: release
+          config: services/oprf-node/release-plz.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Derive image version
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: version
+        env:
+          RELEASES: ${{ steps.release-plz.outputs.releases }}
+        run: |
+          set -euo pipefail
+          version="$(echo "$RELEASES" | jq -r '.[0].version')"
+          test -n "$version"
+          echo "value=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Docker meta
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}/world-id-oprf-node
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ steps.version.outputs.value }}
+
+      - name: Set up Docker Buildx
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Build
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: "type=gha,mode=max"
+          platforms: linux/amd64
+          build-args: |
+            SERVICE_NAME=world-id-oprf-node
+            GIT_HASH=${{ github.sha }}
+
+      - name: Attest
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: actions/attest-build-provenance@v1
+        with:
+          push-to-registry: true
+          subject-name: ghcr.io/${{ github.repository }}/world-id-oprf-node
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
diff --git a/services/oprf-node/CHANGELOG.md b/services/oprf-node/CHANGELOG.md
new file mode 100644
index 000000000..55172db1c
--- /dev/null
+++ b/services/oprf-node/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to `world-id-oprf-node` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/services/oprf-node/Cargo.toml b/services/oprf-node/Cargo.toml
index bf3d93536..dc6d9c5ff 100644
--- a/services/oprf-node/Cargo.toml
+++ b/services/oprf-node/Cargo.toml
@@ -1,11 +1,12 @@
 [package]
 name = "world-id-oprf-node"
-version = "0.1.0"
+version = "0.2.0"
 edition.workspace = true
 rust-version.workspace = true
 homepage.workspace = true
 repository.workspace = true
 license.workspace = true
+publish = false
 
 [dependencies]
 alloy = { workspace = true, features = ["full", "rpc", "rpc-client-ws"] }
diff --git a/services/oprf-node/README.md b/services/oprf-node/README.md
new file mode 100644
index 000000000..497ceef4a
--- /dev/null
+++ b/services/oprf-node/README.md
@@ -0,0 +1,16 @@
+# World ID OPRF Node
+
+The World ID OPRF Node is the protocol's OPRF service implementation. The
+workspace package for the service is `world-id-oprf-node`.
+
+## Releases
+
+`world-id-oprf-node` is released independently from the published Rust crates:
+
+1. Trigger the `Prepare OPRF Node Release` GitHub Actions workflow manually.
+2. Review and merge the generated release PR, which updates the package version
+   and [`CHANGELOG.md`](./CHANGELOG.md).
+3. After the release PR lands on `main`, the `Publish OPRF Node Release`
+   workflow detects the version bump in `Cargo.toml`, creates the
+   `world-id-oprf-node-vX.Y.Z` tag and GitHub release, and publishes the
+   versioned container image while updating the `latest` tag.
diff --git a/services/oprf-node/release-plz.toml b/services/oprf-node/release-plz.toml
new file mode 100644
index 000000000..3aad1d038
--- /dev/null
+++ b/services/oprf-node/release-plz.toml
@@ -0,0 +1,18 @@
+[workspace]
+git_release_enable = true
+git_release_latest = false
+git_release_type = "auto"
+pr_branch_prefix = "release-oprf-node-"
+pr_labels = ["release"]
+release = false
+release_always = false
+publish = false
+changelog_update = false
+
+[[package]]
+name = "world-id-oprf-node"
+release = true
+publish = false
+git_only = true
+changelog_update = true
+changelog_path = "services/oprf-node/CHANGELOG.md"

From ae186576220aa169109d34cd2f025765c69dbed8 Mon Sep 17 00:00:00 2001
From: pd <paolodamico@users.noreply.github.com>
Date: Tue, 12 May 2026 14:16:52 -0700
Subject: [PATCH 2/3] bump

---
 Cargo.lock | 2 +-
 Cargo.toml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 452238f03..1a033eb3c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -12541,7 +12541,7 @@ dependencies = [
 
 [[package]]
 name = "world-id-oprf-node"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "alloy",
  "ark-bn254 0.5.0",
diff --git a/Cargo.toml b/Cargo.toml
index 5c8155026..2d791ca08 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -155,7 +155,7 @@ world-id-proof = { version = "0.10.2", path = "crates/proof" }
 world-id-registries = { version = "0.10.2", path = "crates/registries" }
 world-id-authenticator = { version = "0.10.2", path = "crates/authenticator" }
 world-id-primitives = { version = "0.10.2", path = "crates/primitives", default-features = false }
-world-id-oprf-node = { version = "0.1.0", path = "services/oprf-node" }
+world-id-oprf-node = { version = "0.2.0", path = "services/oprf-node" }
 world-id-test-utils = { path = "crates/test-utils" }
 world-id-services-common = { path = "services/common" }
 world-id-relay = { path = "services/relay" }

From ada9887a40255ce7e8576cbca4e0442c049d887d Mon Sep 17 00:00:00 2001
From: pd <paolodamico@users.noreply.github.com>
Date: Tue, 12 May 2026 14:18:35 -0700
Subject: [PATCH 3/3] stash

---
 .github/workflows/release-oprf-node.yml | 1 +
 services/oprf-node/release-plz.toml     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-oprf-node.yml b/.github/workflows/release-oprf-node.yml
index fdadeda41..fc08a8372 100644
--- a/.github/workflows/release-oprf-node.yml
+++ b/.github/workflows/release-oprf-node.yml
@@ -17,6 +17,7 @@ jobs:
       id-token: write
       packages: write
       attestations: write
+      pull-requests: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
diff --git a/services/oprf-node/release-plz.toml b/services/oprf-node/release-plz.toml
index 3aad1d038..77293198f 100644
--- a/services/oprf-node/release-plz.toml
+++ b/services/oprf-node/release-plz.toml
@@ -2,7 +2,7 @@
 git_release_enable = true
 git_release_latest = false
 git_release_type = "auto"
-pr_branch_prefix = "release-oprf-node-"
+pr_branch_prefix = "release-plz-oprf-node-"
 pr_labels = ["release"]
 release = false
 release_always = false