feat(proto): publish protos on BSR and npmjs

[Vritra4]

Description

to publish proto definitions on BSR and npmjs.com

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title, you can find examples of the prefixes below:

• confirmed ! in the type prefix if API or client breaking change
• targeted the correct branch
• provided a link to the relevant issue or specification
• reviewed "Files changed" and left comments if necessary
• included the necessary unit and integration tests
• updated the relevant documentation or specification, including comments for documenting Go code
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

Summary by CodeRabbit

• Chores
  • Added a CI workflow to run protobuf tooling and publish generated packages; added generation config and ignore rules for generated artifacts.
• New Features
  • Publishable npm package with TypeScript definitions for protobufs.
  • Added a new DenomPair protobuf message.
• Documentation
  • Added docs describing the npm package, install/use instructions, and peer dependency notes.

[coderabbitai]

Walkthrough

Adds a GitHub Actions "Protobuf" workflow to generate and publish JS/TS from proto, updates Buf module config and generation settings, introduces an npm package for generated protos, adds a new protobuf message DenomPair, and removes an unused proto import.

Changes

Cohort / File(s)	Summary
CI/CD: Protobuf workflow .github/workflows/proto.yml	New workflow "Protobuf": triggers on pushes/tags/PRs for proto/**; buf-build runs buf-action; npm-publish generates JS/TS with protoc-gen-es, sets versions (tag→release, main→canary), and publishes to npm.
Buf module config proto/buf.yaml	Module path lowercased to buf.build/initia-labs/opinit; added deps for buf.build/cosmos/gogo-proto and buf.build/googleapis/googleapis; lint use set to STANDARD; added enum naming lint exceptions.
Buf.gen config & docs proto/buf.gen.es.yaml, proto/buf.md	Added ES generation config (plugin es, target=js+dts, import_extension=js) and docs describing the generated npm package and peer dependency on @bufbuild/protobuf v2.
npm package for generated proto proto/npm/package.json, proto/npm/.gitignore	Added package manifest (module, exports, Node>=22, peerDep on @bufbuild/protobuf ^2.0.0) and .gitignore entries for generated JS/DTS, node_modules, and several proto-related dirs.
Protobuf schema & docs proto/opinit/opchild/v1/types.proto, proto/opinit/opchild/v1/query.proto	Added message DenomPair { string denom = 1; string base_denom = 2; }; added a documentation comment above the BaseDenom RPC (no RPC/signature changes).
Proto import cleanup proto/opinit/ophost/v1/tx.proto	Removed unused import google/protobuf/timestamp.proto.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as "GitHub Actions"
  participant Runner as "Runner (ubuntu-latest)"
  participant BufAction as "buf-action"
  participant NodeBuilder as "Node + protoc-gen-es"
  participant BufRegistry as "buf.build"
  participant NpmRegistry as "npm"

  Dev->>GH: Push / Tag (v*) / PR touching proto/**
  GH->>Runner: Start jobs (buf-build, npm-publish)
  Runner->>Runner: checkout, setup
  Runner->>BufAction: run buf generate/check (inputs: proto, BUF_TOKEN)
  BufAction->>BufRegistry: validate/generate module
  BufRegistry-->>BufAction: response
  BufAction-->>Runner: generated artifacts
  Runner->>NodeBuilder: setup Node, install protoc-gen-es, generate JS/TS
  NodeBuilder->>Runner: package artifacts, set version (tag→release / main→canary)
  Runner->>NpmRegistry: publish package (tag)
  NpmRegistry-->>Runner: publish result
  Runner-->>GH: Job results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I hop through proto fields at dawn,
Lowercase names where names were drawn.
CI hums, JS and types take flight,
Packaged with care in morning light. 🥕🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: publishing protobuf definitions to BSR (Buf Schema Registry) and npmjs, which is directly supported by the workflow and configuration additions throughout the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/proto-actions

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

.github/workflows/proto.yml (5)

2-4: Comment contradicts actual triggers and disabled checks

The header says this runs fmt/lint/breaking and “only when a .proto file has been changed”, but the workflow disables those checks and also triggers on tags and releases (which aren’t path-filtered). Update the comment or adjust triggers accordingly.

---

13-17: Release trigger likely does nothing with current config

With format/lint/breaking disabled and push intended for Git pushes only, the release event won’t meaningfully execute buf-action. Remove it or add specific steps for releases. (github.com)

---

24-26: Timeout may be too tight

Pushing/BSR ops can exceed 5 minutes on cold runners or larger modules. Consider 10–15 minutes.

-    timeout-minutes: 5
+    timeout-minutes: 10

---

28-35: buf-action inputs: good start; harden by disabling PR comments and preventing accidental BSR repo creation

• token/input keys are correct for buf-action@v1.
• Add pr_comment: false to avoid needing PR write perms.
• Consider push_disable_create: true to avoid creating BSR repos implicitly. (github.com)

Apply this diff:

       - uses: bufbuild/buf-action@v1
         with:
           input: proto
           token: ${{ secrets.BUF_TOKEN }}
           format: false
           lint: false
           breaking: false
           push: true
+          pr_comment: false
+          push_disable_create: true

---

35-35: Add newline at EOF

YAMLlint flags the missing trailing newline.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 1c8ee7f and 1cb4ab2.

📒 Files selected for processing (1)

• .github/workflows/proto.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/proto.yml

[error] 35-35: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: spellcheck
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

.github/workflows/proto.yml (2)

27-27: actions/checkout@v5 is valid

v5 exists and is the current major. Keep it. (github.com)

---

28-32: Secret setup check

Ensure repository/org secret BUF_TOKEN is present and scoped to this repo/environment; without it, pushes to BSR will fail.

[github-actions]

The latest Buf updates on your PR. Results from workflow Protobuf / buf-build (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	⏩ skipped	Mar 13, 2026, 7:55 AM

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/proto.yml (1)

16-18: ⚠️ Potential issue | 🟠 Major

Reduce workflow-level token scope to least privilege.

contents: write is broader than required here; keep write scopes only where strictly needed.

🔐 Proposed permission tightening

 permissions:
-  contents: write
+  contents: read
   pull-requests: write

For bufbuild/buf-action@v1, what are the recommended GitHub workflow permissions for lint/build/push, and when is contents: write actually required?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/proto.yml around lines 16 - 18, The workflow-level
permissions are too broad: change the permissions block in
.github/workflows/proto.yml to the least privilege by replacing contents: write
with contents: read (or removing it) and only grant write scopes on the specific
job/step that actually needs them; keep pull-requests: write only if the
workflow creates PRs, otherwise drop or change to read; update any job-level
permissions or steps that perform bufbuild/buf-action push operations to request
write there and verify bufbuild/buf-action required scopes in its docs to
confirm whether contents: write is necessary for lint/build/push.

🧹 Nitpick comments (2)

.github/workflows/proto.yml (1)

25-26: Pin external actions to commit SHAs instead of version tags for stronger supply-chain security.

Using version tags (@v6, @v1) is convenient but mutable and vulnerable to supply chain attacks. Pin to commit SHAs for immutable references.

Lines affected:

• 25-26: actions/checkout@v6, bufbuild/buf-action@v1
• 41-43: actions/checkout@v6, actions/setup-node@v6
• 48: bufbuild/buf-setup-action@v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/proto.yml around lines 25 - 26, Replace mutable action
tags with immutable commit SHAs for the external GitHub Actions used in this
workflow: update the usages of "actions/checkout@v6" (both occurrences),
"bufbuild/buf-action@v1", "actions/setup-node@v6", and
"bufbuild/buf-setup-action@v1" to pinned commit SHAs (e.g.,
"actions/checkout@<commit-sha>") by looking up the canonical commit SHA for the
desired release in each action's repository and substituting the tag with that
SHA; ensure each occurrence is replaced so all four action references are pinned
to specific commits.

proto/npm/package.json (1)

16-18: Consider relaxing engines.node to >=20 to match upstream support.

@bufbuild/protobuf v2 and @bufbuild/protoc-gen-es v2 officially support Node.js 20.x, 22.x, and 24.x. The current requirement of >=22 unnecessarily restricts installation on Node 20 LTS.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@proto/npm/package.json` around lines 16 - 18, Update the Node engine
requirement in package.json by relaxing the "engines.node" field from ">=22" to
">=20" so it matches upstream support for `@bufbuild/protobuf` v2 and
`@bufbuild/protoc-gen-es` v2; locate the "engines" object (the "engines.node"
property) in proto/npm/package.json and change its value accordingly, and run
npm install / CI to verify no other toolings require a higher Node version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@proto/buf.md`:
- Around line 18-20: The ESM import examples import
"@initia/opinit-proto/opinit/ophost/v1/tx_pb" and
"@initia/opinit-proto/opinit/opchild/v1/tx_pb" without the required .js
extension; update those import specifiers (the lines importing
MsgRecordBatchSchema and MsgFinalizeTokenDepositSchema) to include the .js
suffix (e.g., append ".js") so the examples match the generator's
import_extension=js and will resolve in Node ESM environments.

---

Duplicate comments:
In @.github/workflows/proto.yml:
- Around line 16-18: The workflow-level permissions are too broad: change the
permissions block in .github/workflows/proto.yml to the least privilege by
replacing contents: write with contents: read (or removing it) and only grant
write scopes on the specific job/step that actually needs them; keep
pull-requests: write only if the workflow creates PRs, otherwise drop or change
to read; update any job-level permissions or steps that perform
bufbuild/buf-action push operations to request write there and verify
bufbuild/buf-action required scopes in its docs to confirm whether contents:
write is necessary for lint/build/push.

---

Nitpick comments:
In @.github/workflows/proto.yml:
- Around line 25-26: Replace mutable action tags with immutable commit SHAs for
the external GitHub Actions used in this workflow: update the usages of
"actions/checkout@v6" (both occurrences), "bufbuild/buf-action@v1",
"actions/setup-node@v6", and "bufbuild/buf-setup-action@v1" to pinned commit
SHAs (e.g., "actions/checkout@<commit-sha>") by looking up the canonical commit
SHA for the desired release in each action's repository and substituting the tag
with that SHA; ensure each occurrence is replaced so all four action references
are pinned to specific commits.

In `@proto/npm/package.json`:
- Around line 16-18: Update the Node engine requirement in package.json by
relaxing the "engines.node" field from ">=22" to ">=20" so it matches upstream
support for `@bufbuild/protobuf` v2 and `@bufbuild/protoc-gen-es` v2; locate the
"engines" object (the "engines.node" property) in proto/npm/package.json and
change its value accordingly, and run npm install / CI to verify no other
toolings require a higher Node version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8297939-f71f-4687-b687-02ccf431974c

📥 Commits

Reviewing files that changed from the base of the PR and between 6101293 and 6635126.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• .github/workflows/proto.yml
• proto/buf.gen.es.yaml
• proto/buf.md
• proto/buf.yaml
• proto/npm/.gitignore
• proto/npm/package.json
• proto/opinit/opchild/v1/query.proto
• proto/opinit/opchild/v1/types.proto
• proto/opinit/ophost/v1/tx.proto

💤 Files with no reviewable changes (1)

• proto/opinit/ophost/v1/tx.proto

✅ Files skipped from review due to trivial changes (1)

• proto/opinit/opchild/v1/query.proto

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/proto.yml (1)

6-11: ⚠️ Potential issue | 🟡 Minor

Missing paths filter for push to main branch

The push trigger for main branch lacks a paths filter, causing this workflow to run on every push to main, not just proto changes. The paths filter only applies to pull_request.

Proposed fix to add paths filter

 on:
   push:
     branches:
       - main
     tags:
       - 'v*'
+    paths:
+      - "proto/**"
+      - ".github/workflows/proto.yml"
   pull_request:
     paths:
       - "proto/**"
       - ".github/workflows/proto.yml"

Note: As flagged in a previous review, GitHub ignores paths filters for tag pushes, so v* tags will still trigger this workflow regardless of changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/proto.yml around lines 6 - 11, The push trigger currently
defined under "on: push" with "branches: - main" and "tags: - 'v*'" runs on
every push to main; add a paths filter to the push trigger so the workflow only
runs for proto changes (e.g., add a "paths:" block under the push -> branches: -
main section listing the proto files/globs you care about), keep the existing
tag trigger (tags: - 'v*') noting tags will still trigger regardless of paths,
and verify the modified "on: push" block (the push/branches/tags entries) is
syntactically valid in .github/workflows/proto.yml.

🧹 Nitpick comments (1)

.github/workflows/proto.yml (1)

51-52: Consider pinning protoc-gen-es version for reproducible builds

Using @^2 allows any 2.x version, which could lead to inconsistent generated code across builds if the package updates.

Proposed fix to pin version

       - name: Install protoc-gen-es
-        run: npm install -g `@bufbuild/protoc-gen-es`@^2
+        run: npm install -g `@bufbuild/protoc-gen-es`@2.2.3

Alternatively, define the dependency in proto/npm/package.json as a devDependency with an exact version and use npx or a local binary path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/proto.yml around lines 51 - 52, The workflow currently
installs protoc-gen-es with a floating range (`@bufbuild/protoc-gen-es`@^2); pin
it to an exact version for reproducible builds (e.g., change the install
invocation to use a specific version like `@bufbuild/protoc-gen-es`@2.x.y) or
instead add "@bufbuild/protoc-gen-es": "2.x.y" as a devDependency in
proto/npm/package.json and invoke it via npx (or the local node_modules binary)
in the GitHub Actions step; update the step that references protoc-gen-es to use
the chosen pinned version or npx/local path and run the workflow to verify
codegen remains identical across runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/proto.yml:
- Around line 70-78: The two publish jobs ("Publish (latest)" and "Publish
(canary)") are missing npm auth and will fail; update the workflow to provide
NODE_AUTH_TOKEN for npm by either adding an actions/setup-node step configured
with the registry-url and auth token (using secrets.NPM_TOKEN) before publishing
or by adding environment variable NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to
each publish step so npm publish can authenticate; ensure you reference and use
the existing "Publish (latest)" and "Publish (canary)" steps when inserting the
token configuration.

---

Duplicate comments:
In @.github/workflows/proto.yml:
- Around line 6-11: The push trigger currently defined under "on: push" with
"branches: - main" and "tags: - 'v*'" runs on every push to main; add a paths
filter to the push trigger so the workflow only runs for proto changes (e.g.,
add a "paths:" block under the push -> branches: - main section listing the
proto files/globs you care about), keep the existing tag trigger (tags: - 'v*')
noting tags will still trigger regardless of paths, and verify the modified "on:
push" block (the push/branches/tags entries) is syntactically valid in
.github/workflows/proto.yml.

---

Nitpick comments:
In @.github/workflows/proto.yml:
- Around line 51-52: The workflow currently installs protoc-gen-es with a
floating range (`@bufbuild/protoc-gen-es`@^2); pin it to an exact version for
reproducible builds (e.g., change the install invocation to use a specific
version like `@bufbuild/protoc-gen-es`@2.x.y) or instead add
"@bufbuild/protoc-gen-es": "2.x.y" as a devDependency in proto/npm/package.json
and invoke it via npx (or the local node_modules binary) in the GitHub Actions
step; update the step that references protoc-gen-es to use the chosen pinned
version or npx/local path and run the workflow to verify codegen remains
identical across runs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 15308595-f54d-47c5-9a2b-055b29cce597

📥 Commits

Reviewing files that changed from the base of the PR and between 6635126 and 3ef253c.

📒 Files selected for processing (2)

• .github/workflows/proto.yml
• proto/buf.md

🚧 Files skipped from review as they are similar to previous changes (1)

• proto/buf.md

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Missing NODE_AUTH_TOKEN for npm publish authentication

Both publish steps will fail with authentication errors because NODE_AUTH_TOKEN is not set. When using setup-node with registry-url, you must provide this token for npm publish to authenticate.

Proposed fix to add authentication

       - name: Publish (latest)
         if: startsWith(github.ref, 'refs/tags/v')
         working-directory: proto/npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --access public

       - name: Publish (canary)
         if: github.ref == 'refs/heads/main'
         working-directory: proto/npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --access public --tag canary

Ensure NPM_TOKEN is configured in repository secrets with publish permissions.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish (latest)
	if: startsWith(github.ref, 'refs/tags/v')
	working-directory: proto/npm
	run: npm publish --access public
	- name: Publish (canary)
	if: github.ref == 'refs/heads/main'
	working-directory: proto/npm
	run: npm publish --access public --tag canary
	- name: Publish (latest)
	if: startsWith(github.ref, 'refs/tags/v')
	working-directory: proto/npm
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: npm publish --access public
	- name: Publish (canary)
	if: github.ref == 'refs/heads/main'
	working-directory: proto/npm
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: npm publish --access public --tag canary

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/proto.yml around lines 70 - 78, The two publish jobs
("Publish (latest)" and "Publish (canary)") are missing npm auth and will fail;
update the workflow to provide NODE_AUTH_TOKEN for npm by either adding an
actions/setup-node step configured with the registry-url and auth token (using
secrets.NPM_TOKEN) before publishing or by adding environment variable
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to each publish step so npm publish
can authenticate; ensure you reference and use the existing "Publish (latest)"
and "Publish (canary)" steps when inserting the token configuration.