publish sdk to npm

publish SDK to npm

Flow for publishing @trib3/anchor-escrow-sdk and @trib3/anchor-amm-sdk to the npm registry.

Checklist (TL;DR)

Packages

PackagePathCurrent version
@trib3/anchor-escrow-sdkanchor-escrow/sdk/0.1.0
@trib3/anchor-amm-sdkanchor-amm/sdk/0.1.0

Both are scoped under @trib3 and configured for public access (publishConfig.access: "public"). Both build with tsup to dual ESM + CJS with .d.ts types.

One-time setup

npm account + scope

Local login

pnpm login
# or, for granular access tokens:
pnpm login --auth-type=web

Verify:

pnpm whoami
# org membership: check https://www.npmjs.com/settings/<user>/orgs

3. Verify package metadata

Both package.json files should already have:

4. Add SDK READMEs (missing today)

Both packages list README.md in files but neither exists. npm publish will succeed but the package page will be blank. Add minimal READMEs at:

Minimum content: install command, one usage snippet, link back to repo.

5. Add repository, homepage, bugs fields (recommended)

Improves npm page + GitHub linkback. Add to each package.json:

"repository": {
  "type": "git",
  "url": "git+https://github.com/<owner>/Turbin3-Q2-2026.git",
  "directory": "anchor-escrow/sdk"
},
"homepage": "https://github.com/<owner>/Turbin3-Q2-2026/tree/main/anchor-escrow/sdk#readme",
"bugs": "https://github.com/<owner>/Turbin3-Q2-2026/issues"

Pre-publish checklist (every release)

Run from repo root.

# 1. clean install
pnpm install --frozen-lockfile

# 2. build both SDKs
pnpm --filter @trib3/anchor-escrow-sdk build
pnpm --filter @trib3/anchor-amm-sdk build

# 3. inspect dist
ls anchor-escrow/sdk/dist
ls anchor-amm/sdk/dist
# expect: index.cjs, index.cjs.map, index.d.cts, index.d.ts, index.js, index.js.map

# 4. dry-run — see exact tarball contents + size
#    full publish simulation (runs prepublishOnly + checks auth, no upload):
pnpm --filter @trib3/anchor-escrow-sdk publish --dry-run --no-git-checks
pnpm --filter @trib3/anchor-amm-sdk publish --dry-run --no-git-checks

# alternative: pack to tarball + inspect
pnpm --filter @trib3/anchor-escrow-sdk pack
tar tzf anchor-escrow/sdk/trib3-anchor-escrow-sdk-*.tgz
rm anchor-escrow/sdk/trib3-anchor-escrow-sdk-*.tgz

Check the dry-run output for:

Versioning

Use semver. Bump version before publish.

# per package (run from pkg dir)
cd anchor-escrow/sdk && pnpm version patch && cd -      # 0.1.0 -> 0.1.1
cd anchor-escrow/sdk && pnpm version minor && cd -      # 0.1.0 -> 0.2.0
cd anchor-escrow/sdk && pnpm version major && cd -      # 0.1.0 -> 1.0.0

# or pre-release
cd anchor-amm/sdk && pnpm version prerelease --preid=rc && cd -   # 0.1.0 -> 0.1.1-rc.0

pnpm version creates a git tag by default. If you want a single tag per release covering both pkgs, pass --no-git-tag-version and tag manually:

git tag -a sdk-v0.2.0 -m "SDKs 0.2.0"
git push origin sdk-v0.2.0

Rules of thumb while on 0.x:

Keep both SDKs in lockstep only if they ship related changes. Otherwise version independently.

Publishing — Trusted Publishing via GitHub Actions

We publish from CI using npm Trusted Publishing (OIDC). No NPM_TOKEN secret, no 2FA OTP prompts, signed provenance attached to every release.

Each SDK has its own workflow + its own tag prefix so releases are independent:

PackageWorkflowTag prefix
@trib3/anchor-escrow-sdk.github/workflows/publish-escrow-sdk.ymlescrow-sdk-v*
@trib3/anchor-amm-sdk.github/workflows/publish-amm-sdk.ymlamm-sdk-v*

One-time: configure trusted publisher on npm

Do this once per package, before the first publish. Both packages are brand-new, so npm allows pre-configuring the trusted publisher under the @trib3 org.

For each package, on its npm settings page → Publishing accessAdd trusted publisherGitHub Actions:

Fieldescrow valueamm value
Organization or usermael-bomanemael-bomane
RepositoryTurbin3-Q2-2026Turbin3-Q2-2026
Workflow filenamepublish-escrow-sdk.ymlpublish-amm-sdk.yml
Environment name(blank)(blank)

URLs (once the package exists or pre-configured via org @trib3 settings):

npm requires npm CLI >= 11.5.1 on the runner for trusted publishing. Each workflow runs npm install -g npm@latest to guarantee this.

Triggering a publish

Option A — tag-based (recommended for releases)

# escrow only
cd anchor-escrow/sdk && pnpm version patch && cd -
git tag -a escrow-sdk-v0.1.1 -m "anchor-escrow-sdk 0.1.1"
git push origin main --follow-tags

# amm only
cd anchor-amm/sdk && pnpm version patch && cd -
git tag -a amm-sdk-v0.1.1 -m "anchor-amm-sdk 0.1.1"
git push origin main --follow-tags

pnpm version creates a git tag automatically. To use our prefixed tag scheme, either:

Option B — manual dispatch (for pre-release / one-off)

GitHub UI → Actions → pick "Publish anchor-escrow-sdk" or "Publish anchor-amm-sdk" → Run workflow → set dist-tag (latest, next, rc, etc.).

Test publish first

For a pre-release smoke-test, dispatch the workflow with tag: next. Install + verify in a scratch project:

mkdir /tmp/sdk-smoke && cd /tmp/sdk-smoke
pnpm init
pnpm add @trib3/anchor-escrow-sdk@next @solana/kit
node -e "import('@trib3/anchor-escrow-sdk').then(m => console.log(Object.keys(m)))"

Promote to latest:

pnpm dist-tag add @trib3/anchor-escrow-sdk@0.1.1 latest

Manual publish (escape hatch)

If CI is broken and you need to ship hot:

pnpm --filter @trib3/anchor-escrow-sdk publish --no-git-checks --otp=<6-digit-code>
# or
pnpm --filter @trib3/anchor-amm-sdk publish --no-git-checks --otp=<6-digit-code>

Requires you to be added as a publisher on the package on npm. Loses provenance attestation.

Post-publish

pnpm view @trib3/anchor-escrow-sdk
pnpm view @trib3/anchor-amm-sdk

Check:

Push the version-bump commit + tags to GitHub:

git push origin main --follow-tags

Recovery

Unpublish (only within 72 h of publish)

pnpm unpublish @trib3/anchor-escrow-sdk@0.1.0

After 72 h: deprecate instead.

Deprecate a bad version

pnpm deprecate @trib3/anchor-escrow-sdk@0.1.0 "Broken build — use 0.1.1"

Republish same version

Not allowed. Bump patch and republish.