worldcoin · paolodamico · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -19,7 +19,6 @@ jobs:
         service:
           - indexer
           - gateway
-          - oprf-node
     permissions:
       contents: read
       id-token: write

@@ -0,0 +1,32 @@
+name: Prepare OPRF Node Release
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  prepare-oprf-node-release:
+    name: Prepare OPRF Node Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
+        with:
+          toolchain: stable
+
+      - name: Run release-plz release-pr
+        uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5.128 (https://github.com/release-plz/action/releases/tag/v0.5.128)
+        with:
+          command: release-pr
+          config: services/oprf-node/release-plz.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,123 @@
+name: Publish OPRF Node Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  publish-oprf-node-release:
+    name: Publish OPRF Node Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+      attestations: write
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Detect merged OPRF node version bump
+        id: version-bump
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          AFTER_SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+
+          if git diff --quiet "$BEFORE_SHA" "$AFTER_SHA" -- services/oprf-node/Cargo.toml; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          before_version="$(git show "$BEFORE_SHA:services/oprf-node/Cargo.toml" 2>/dev/null | sed -n 's/^version = "\(.*\)"/\1/p' | head -n1)"
+          after_version="$(sed -n 's/^version = "\(.*\)"/\1/p' services/oprf-node/Cargo.toml | head -n1)"
+
+          if [ -z "$before_version" ] || [ -z "$after_version" ] || [ "$before_version" = "$after_version" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+          echo "from=$before_version" >> "$GITHUB_OUTPUT"
+          echo "to=$after_version" >> "$GITHUB_OUTPUT"
+
+      - name: Install Rust toolchain
+        if: steps.version-bump.outputs.changed == 'true'
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
+        with:
+          toolchain: stable
+
+      - name: Run release-plz release
+        if: steps.version-bump.outputs.changed == 'true'
+        id: release-plz
+        uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5.128 (https://github.com/release-plz/action/releases/tag/v0.5.128)
+        with:
+          command: release
+          config: services/oprf-node/release-plz.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Derive image version
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: version
+        env:
+          RELEASES: ${{ steps.release-plz.outputs.releases }}
+        run: |
+          set -euo pipefail
+          version="$(echo "$RELEASES" | jq -r '.[0].version')"
+          test -n "$version"
+          echo "value=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Docker meta
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}/world-id-oprf-node
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ steps.version.outputs.value }}
+
+      - name: Set up Docker Buildx
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Build
+        if: steps.release-plz.outputs.releases_created == 'true'
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: "type=gha,mode=max"
+          platforms: linux/amd64
+          build-args: |
+            SERVICE_NAME=world-id-oprf-node
+            GIT_HASH=${{ github.sha }}
+
+      - name: Attest
+        if: steps.release-plz.outputs.releases_created == 'true'
+        uses: actions/attest-build-provenance@v1
+        with:
+          push-to-registry: true
+          subject-name: ghcr.io/${{ github.repository }}/world-id-oprf-node
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
@@ -155,7 +155,7 @@ world-id-proof = { version = "0.10.2", path = "crates/proof" }
 world-id-registries = { version = "0.10.2", path = "crates/registries" }
 world-id-authenticator = { version = "0.10.2", path = "crates/authenticator" }
 world-id-primitives = { version = "0.10.2", path = "crates/primitives", default-features = false }
-world-id-oprf-node = { version = "0.1.0", path = "services/oprf-node" }
+world-id-oprf-node = { version = "0.2.0", path = "services/oprf-node" }
 world-id-test-utils = { path = "crates/test-utils" }
 world-id-services-common = { path = "services/common" }
 world-id-relay = { path = "services/relay" }

@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to `world-id-oprf-node` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
@@ -1,11 +1,12 @@
 [package]
 name = "world-id-oprf-node"
-version = "0.1.0"
+version = "0.2.0"
 edition.workspace = true
 rust-version.workspace = true
 homepage.workspace = true
 repository.workspace = true
 license.workspace = true
+publish = false
 
 [dependencies]
 alloy = { workspace = true, features = ["full", "rpc", "rpc-client-ws"] }

@@ -0,0 +1,16 @@
+# World ID OPRF Node
+
+The World ID OPRF Node is the protocol's OPRF service implementation. The
+workspace package for the service is `world-id-oprf-node`.
+
+## Releases
+
+`world-id-oprf-node` is released independently from the published Rust crates:
+
+1. Trigger the `Prepare OPRF Node Release` GitHub Actions workflow manually.
+2. Review and merge the generated release PR, which updates the package version
+   and [`CHANGELOG.md`](./CHANGELOG.md).
+3. After the release PR lands on `main`, the `Publish OPRF Node Release`
+   workflow detects the version bump in `Cargo.toml`, creates the
+   `world-id-oprf-node-vX.Y.Z` tag and GitHub release, and publishes the
+   versioned container image while updating the `latest` tag.
@@ -0,0 +1,18 @@
+[workspace]
+git_release_enable = true
+git_release_latest = false
+git_release_type = "auto"
+pr_branch_prefix = "release-plz-oprf-node-"
+pr_labels = ["release"]
+release = false
+release_always = false
+publish = false
+changelog_update = false
+
+[[package]]
+name = "world-id-oprf-node"
+release = true
+publish = false
+git_only = true
+changelog_update = true
+changelog_path = "services/oprf-node/CHANGELOG.md"