fix(ci): publish-packages workflow options and include hdwallet

[kaladinlight]

Description

Two-part fix to the publish-packages workflow added in #12371.

1. pnpm option position

The first run of the workflow failed with:

ERROR  Unknown option: 'workspace-concurrency'

--workspace-concurrency and --filter are recursive options, not publish flags. They have to sit between -r and the publish subcommand; everything after publish is parsed as a publish-command flag. Reordered accordingly:

pnpm -r \
  --workspace-concurrency=1 \
  --filter './packages/*' \
  --filter '!@shapeshiftoss/web' \
  publish \
  --access public \
  --no-git-checks

2. Include hdwallet-* in this workflow

The original workflow excluded @shapeshiftoss/hdwallet-* on the basis that they were "versioned by a separate process". That was true when hdwallet lived in its own repo, but #11811 absorbed it into this monorepo in February — there is no separate publish process anymore.

Concrete consequence today:

• hdwallet-core@1.62.41 was last published to npm on 2026-01-17, from the old repo.
• Since absorption, ~3 months of changes have landed in packages/hdwallet-* (phantom EIP-1474 fix, bebop solana signing, bitcoin wcv2 support, axios bump, etc.) — none are on npm.
• The local tsc --build compiles chain-adapters/swapper dist/ against the newer hdwallet sources, so consumers installing chain-adapters@11.3.9 get JS/types that assume APIs paired with hdwallet-core@^1.62.41 resolving to the old January code on npm. Silent breakage waiting to happen.

This PR drops the !@shapeshiftoss/hdwallet-* filter from both the publish step and the tagger. Private packages (hdwallet-integration, hdwallet-sandbox) are still skipped automatically.

3. Corrected misleading comment

The --workspace-concurrency=1 comment claimed it was about workspace:^ resolution. It isn't — pnpm publish always rewrites workspace:^ from the local package.json regardless of order. The real reason for sequential publishing is registry consistency: dependency reaches npm before dependent is published, so users installing during the publish window don't hit a missing dep. Comment updated to match reality.

Issue (if applicable)

closes #

Risk

What protocols, transaction types, wallets or contract interactions might be affected by this PR?

CI-only change. No runtime/UI impact in this repo. Downstream consumers of @shapeshiftoss/* npm packages will start receiving correct hdwallet-* versions once those packages are bumped in a follow-up PR (current 1.62.41 is already on npm, so this PR alone is a no-op for hdwallet).

Testing

Engineering

Required follow-ups before this workflow can actually publish hdwallet packages:

• Trusted Publisher configs for all 22 non-private hdwallet-* packages on npmjs.com (org=shapeshift, repo=web, workflow=publish-packages.yml). Without these, the first hdwallet publish will fail with Trusted publisher configuration not found.
• Tag bootstrap: 22 hdwallet-*-v1.62.41 annotated tags pushed to origin at the migration commit 4b625a5278. Verified via git ls-remote --tags origin 'refs/tags/hdwallet-*-v1.62.41' | wc -l → 22. Prevents the tagger from incorrectly tagging develop HEAD on first run.
• Version bumps: To actually ship the accumulated changes, a follow-up PR needs to bump hdwallet-* versions in lockstep (e.g., 1.62.41 → 1.63.0 across all 22).

Workflow correctness can be sanity-checked locally:

pnpm -r --workspace-concurrency=1 --filter './packages/*' --filter '!@shapeshiftoss/web' publish --dry-run --no-git-checks

Operations

• 🏁 My feature is behind a flag and doesn't require operations testing (yet)

CI-only workflow change. End-user impact depends on the follow-up version-bump PR, not this one.

Screenshots (if applicable)

n/a

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@kaladinlight has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 35 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b21f9d3-78d8-43b7-949d-747af2774665

📥 Commits

Reviewing files that changed from the base of the PR and between be1cb72 and ccc5ec7.

📒 Files selected for processing (1)

• .github/workflows/publish-packages.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/publish-packages-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}