IronCoreLabs · giarc3 · Oct 24, 2025 · Oct 22, 2025 · Oct 24, 2025 · Oct 24, 2025
@@ -18,5 +18,5 @@ jobs:
     uses: IronCoreLabs/workflows/.github/workflows/bump-version.yaml@bump-version-v1
     with:
       version: ${{ inputs.version }}
-      release_mode: prerelease
+      release_prereleases: false
     secrets: inherit
@@ -1,24 +1,11 @@
 # Creates and publishes assets for a new release.
-# To manually trigger this workflow, create a release in the GitHub UI.
-
 name: Publish
 
 on:
-  # https://docs.github.com/en/developers/webhooks-and-events/webhook-events-and-payloads#release
   release:
     types:
-      - created
-  # workflow_dispatch is just for testing, and it won't fully work.
+      - created # triggered by Bump Version creating a release
   workflow_dispatch:
-    inputs:
-      name:
-        description: fake version name
-        required: true
-
-env:
-  # hack to get dynlibs working with musl
-  # https://github.com/rust-lang/rust/pull/55163#issuecomment-436631090
-  RUSTFLAGS: -C target-feature=-crt-static
 
 jobs:
   publish-github:
@@ -72,97 +59,50 @@ jobs:
           PRE_GYP_ARCH: ${{ matrix.system.pre_gyp_arch }}
           CARGO_BUILD_TARGET: ${{ matrix.system.target }}
         run: |
-          node publish.js
+          node build.js
           cd bin-package
           echo "asset=$(echo *.tar.gz)" >> "$GITHUB_OUTPUT"
       - name: Upload release asset
         run: gh release upload ${{ github.event.release.tag_name }}${{ github.event.inputs.name }} bin-package/${{ steps.build.outputs.asset }} --clobber
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  # The # WORKAROUND below doesn't work anymore, actions are forced to use a node20 runtime that doesn't work on alpine
-  # publish-github-docker:
-  #   runs-on: ${{ matrix.os }}
-  #   container:
-  #     image: node:${{ matrix.node_version }}-alpine
-  #   strategy:
-  #     fail-fast: false
-  #     matrix:
-  #       node_version:
-  #         - 20
-  #         - 22
-  #         - 24
-  #       os:
-  #         - ubuntu-24.04
-  #         - ubuntu-24.04-arm
-  #   steps:
-  #     - run: apk add build-base git python3 wget github-cli
-  #     # WORKAROUND
-  #     # https://github.com/actions/runner/issues/801#issuecomment-1374967227
-  #     - run: |
-  #         apk add gcompat
-  #         sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
-  #     - uses: actions/checkout@v4
-  #       with:
-  #         ref: ${{ github.event.release.tag_name }}${{ github.event.inputs.name }}
-  #     - uses: c-hive/gha-yarn-cache@v2
-  #     - uses: actions-rs/toolchain@v1
-  #       with:
-  #         profile: minimal
-  #         toolchain: stable
-  #         override: true
-  #     - name: Install modules
-  #       run: yarn install --ignore-scripts
-  #     - name: Build
-  #       id: build
-  #       run: |
-  #         node publish.js
-  #         cd bin-package
-  #         echo "asset=$(echo *.tar.gz)" >> "$GITHUB_OUTPUT"
-  #     - name: Upload release asset
-  #       run: |
-  #         git config --global --add safe.directory $(pwd)
-  #         gh release upload ${{ github.event.release.tag_name }}${{ github.event.inputs.name }} bin-package/${{ steps.build.outputs.asset }} --clobber
-  #       env:
-  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # Release musl binaries
+  publish-github-docker:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        # These Node versions should match those above in the `publish-github` job.
+        node_version:
+          - 20
+          - 22
+          - 24
+        os:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+      - name: Build
+        id: build
+        run: docker build --build-arg NODE_VERSION=${{matrix.node_version}} --output type=local,dest=./host-artifacts .
+      - name: Output
+        run: |
+          cd host-artifacts/out
+          echo "asset=$(echo *.tar.gz)" >> "$GITHUB_OUTPUT"
+      - name: Upload release asset
+        run: |
+          git config --global --add safe.directory $(pwd)
+          gh release upload ${{ github.event.release.tag_name }}${{ github.event.inputs.name }} host-artifacts/out/${{ steps.build.outputs.asset }} --clobber
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-npm:
-    if: "${{ github.event.release.tag_name }}"
     needs:
       - publish-github
-      # - publish-github-docker
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          ref: ${{ github.event.release.tag_name }}
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 24
-          cache: yarn
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - name: Install modules
-        run: yarn install --ignore-scripts
-      - run: npm config set //registry.npmjs.org/:_authToken=$NPM_TOKEN
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: Publish NPM release
-        run: |
-          set -x
-          # If it's not a simple 1.2.3 version, then it's a prerelease of some kind.
-          if [[ ${{ github.event.release.tag_name }} =~ .*-.* ]] ; then
-            PRE="--prerelease"
-          fi
-          node publish.js --publish "${PRE}"
-      - name: Finalize GitHub release
-        uses: ncipollo/release-action@v1
-        with:
-          token: ${{ secrets.WORKFLOW_PAT }}
-          prerelease: ${{ contains(github.event.release.name, '-') }}
-          allowUpdates: true
-          tag: ${{ github.event.release.tag_name }}
-          name: ${{ github.event.release.name }}
+      - publish-github-docker
+    uses: IronCoreLabs/workflows/.github/workflows/typescript-release.yaml@typescript-release-v1
+    with:
+      pre_publish_steps: "./build.js"
+      publish_working_directory: "dist"
+    secrets: inherit
@@ -15,8 +15,8 @@ jobs:
       matrix:
         rust_version:
           - stable
-        # Uncomment after Rust 1.90.0 comes out: https://github.com/rust-lang/rust/issues/145699
-        #   - beta
+          - beta
+        # These should match those in the `docker-test` job
         node_version:
           - 20
           - 22
@@ -54,35 +54,15 @@ jobs:
         run: yarn run compile
       - name: Run tests
         run: yarn run test
-
-# broken now that node20 is forced even for checkout@v3, which doesn't work using the # WORKAROUND below any more.
-#   test-docker:
-#     runs-on: ${{ matrix.os }}
-#     container:
-#       image: node:${{ matrix.node_version }}-alpine
-#     strategy:
-#       matrix:
-#         rust_version:
-#           - stable
-#           - beta
-#         node_version:
-#           - 20
-#           - 22
-#           - 24
-#         os:
-#           - ubuntu-24.04
-#           - ubuntu-24.04-arm
-#       fail-fast: false
-#     steps:
-#       - run: apk add build-base git python3 wget
-#       - run: echo RUSTFLAGS="-C target-feature=-crt-static" >> "${GITHUB_ENV}"
-#       - uses: actions/checkout@v5
-#       - uses: IronCoreLabs/rust-toolchain@v1
-#         with:
-#           toolchain: ${{ matrix.rust_version }}
-#       - name: Install modules
-#         run: yarn install --ignore-scripts
-#       - name: Compile
-#         run: yarn run compile
-#       - name: Run tests
-#         run: yarn run test
+
+  # Used to create musl binaries
+  docker-test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-24.04, ubuntu-24.04-arm]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+      # These Node versions should match those above in the `test` job.
+      - run: for NODE_VERSION in 20 22 24; do docker build --build-arg NODE_VERSION=$NODE_VERSION .; done
@@ -8,6 +8,7 @@ target
 artifacts.json
 dist/*
 bin-package/*
+host-artifacts/*
 build/*
 .idea/*
 .direnv
@@ -1,3 +1,9 @@
+## 0.11.1
+
+### Changes
+
+- Fix build process issues preventing musl releases.
+
 ## 0.11.0
 
 ### Changes

@@ -0,0 +1,19 @@
+# This Dockerfile produces a musl binary for recrypt-node-binding.
+# It can be built with this command to copy the result out into ./host-artifacts/out
+# docker build --build-arg NODE_VERSION=24 --output type=local,dest=./host-artifacts .
+
+ARG NODE_VERSION=24
+FROM node:${NODE_VERSION}-alpine3.22 AS build
+
+RUN apk add --no-cache \
+    build-base \
+    rust \
+    cargo
+COPY . /app
+WORKDIR /app
+RUN yarn install
+RUN node build.js
+
+FROM scratch AS artifacts
+WORKDIR /out
+COPY --from=build /app/bin-package ./
@@ -1,9 +1,4 @@
-Release Checklist
-=================
+# Release Checklist
 
-* Decide on the new version number and write the CHANGELOG.md entry for the release by looking at the PRs.
-* Commit the `CHANGELOG.md`.
-* Update to the new version number using the [Bump Version](https://github.com/IronCoreLabs/recrypt-node-binding/actions/workflows/bump-version.yaml) workflow. This will be used as the NPM version number.
-* The [Publish](https://github.com/IronCoreLabs/recrypt-node-binding/actions/workflows/publish.yaml) action will automatically publish the release to NPM.
-* Find the release on the [releases](https://github.com/IronCoreLabs/recrypt-node-binding/releases) page, edit it, and mark it
-    as NOT a prerelease.
+-   PR and merge the `CHANGELOG.md` entry for the release by looking at the commits.
+-   Decide on the new version number and run the [Bump Version](https://github.com/IronCoreLabs/recrypt-node-binding/actions/workflows/bump-version.yaml) action. This will create a GitHub release and trigger the Typescript Release action.
@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * recrypt-node-binding NPM publish script
+ * recrypt-node-binding NPM build script
  * ==================================
  *
  * This script is responsible for compiling and building the NPM release bundle for this repo. The following steps are taken:
@@ -11,8 +11,7 @@
  * + Compile rust code into index.node file.
  * + Run unit tests to ensure the library is in good shape for publishing.
  * + Move all expected content into a `dist` directory.
- * + Generate a binary distrubtion in `bin-package`.
- * + Do a dry run of npm publishing via irish-pub or perform an actual publish step if `--publish` option is provided.
+ * + Generate a binary distribution in `bin-package`.
  */
 
 const fs = require("fs");
@@ -24,7 +23,6 @@ shell.set("-e");
 //Ensure that our directory is set to the root of the repo
 const rootDirectory = path.dirname(process.argv[1]);
 shell.cd(rootDirectory);
-const shouldPublish = process.argv.slice(2).indexOf("--publish") !== -1;
 const isPreRelease = process.argv.slice(2).indexOf("--prerelease") !== -1;
 
 // Cleanup any previous Rust builds, update deps, and compile
@@ -61,17 +59,4 @@ const replacementPlatform = process.env.PRE_GYP_PLATFORM ? `--target_platform=${
 shell.exec(`${cwd}/node_modules/@mapbox/node-pre-gyp/bin/node-pre-gyp package ${replacementArch} ${replacementPlatform}`);
 var tgz = shell.exec("find ./build -name *.tar.gz");
 shell.cp(tgz, "./bin-package/");
-shell.pushd("./dist");
-
-var publishCmd = "echo 'Skipping publishing to npm...'"
-if (shouldPublish) {
-    publishCmd = "npm publish --access public";
-    // If we're publishing a branch build or prerelease like "1.2.3-pre.4", use "--tag next".
-    if (isPreRelease) {
-        publishCmd += " --tag next";
-    }
-}
-shell.exec(publishCmd);
-shell.popd();
-
-shell.echo("publish.js COMPLETE");
+shell.echo("build.js COMPLETE");
@@ -2,14 +2,14 @@
 
 /**
  * WARNING!
- * 
+ *
  * This file is the bridge between the generated Rust binary and the JavaScript interface users call into.
- * 
- * This file is not generated. Any changes made in the Rust code will need to be propogated out here, either by adding
+ *
+ * This file is not generated. Any changes made in the Rust code will need to be propagated out here, either by adding
  * bare functions to the export declaration at the bottom, or by adding new methods to the Api256 class.
- * 
+ *
  * The `index.d.ts` file is also manually maintained, add any new signatures to it.
- */ 
+ */
 
 const internal = require("./bin-package/index.node");
 

@@ -27,10 +27,11 @@
         "compile": "cargo-cp-artifact -a cdylib recrypt_node ./bin-package/index.node -- cargo build --release --message-format=json-render-diagnostics",
         "clean": "cargo clean && rm -rf dist && rm -rf bin-package && rm -rf build",
         "benchmark": "node benchmark/index.js",
-        "test": "jest --maxWorkers=50%"
+        "test": "jest --maxWorkers=50%",
+        "prepublishOnly": "[ ! -f Cargo.toml ] || (echo \"Cargo.toml mistakenly found. Ensure you're publishing from ./dist.\" && exit 1)"
     },
     "dependencies": {
-        "@mapbox/node-pre-gyp": "^1.0.7"
+        "@mapbox/node-pre-gyp": "^2.0.0"
     },
     "devDependencies": {
         "@types/node": "^16.11.11",