ci: add release-plz for crates.io publishing#69
Conversation
Add release-plz alongside cargo-dist to automate crates.io publishing. release-plz handles version bumping, changelog generation, and crate publishing via OIDC trusted publishing (no token secret needed). cargo-dist continues to handle binary builds, Homebrew, SBOM, and GitHub Releases -- triggered by the git tags release-plz creates. - Add release-plz.toml (git_release_enable=false, delegates to cargo-dist) - Add .github/workflows/release-plz.yml (official quickstart pattern) - Update release-process.md to document the two-tool pipeline - Pin release-plz v0.3.155 in mise.toml Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
dosubot
Bot
added
the
size:L
|
Caution Review failedThe pull request is closed. Summary by CodeRabbit
WalkthroughAdds release automation with a new Changes
Sequence Diagram(s)sequenceDiagram
actor Developer
participant GitHub as GitHub
participant ReleasePLZ as release-plz
participant CratesIO as crates.io
participant CargoDist as cargo-dist
Developer->>GitHub: Push to main
GitHub->>ReleasePLZ: run release-plz (create/update release PR)
Developer->>GitHub: Merge release PR
GitHub->>ReleasePLZ: run release-plz (publish & tag)
ReleasePLZ->>CratesIO: Publish crate
ReleasePLZ->>GitHub: Create git tag
GitHub->>CargoDist: Trigger cargo-dist on tag
CargoDist->>GitHub: Create GitHub Release with artifacts
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
release-plz needs persist-credentials: true on the release job to push signed tags via the git CLI instead of the GitHub API. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Use the same jdx/mise-action pattern as all other workflows. This installs the pinned Rust toolchain from mise.toml along with all other project dependencies in a single step. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
dosubot
Bot
added
cli
There was a problem hiding this comment.
Pull request overview
This pull request integrates release-plz for automated crates.io publishing alongside the existing cargo-dist setup. The two-tool pipeline automates version bumping, changelog generation, crates.io publishing, and binary distribution. On every push to main, release-plz opens/updates a release PR with version bumps and changelog updates. When that PR is merged, release-plz publishes to crates.io and creates a git tag, which triggers cargo-dist to build binaries and create the GitHub Release.
Changes:
- Add release-plz configuration and workflow for automated crates.io publishing via OIDC trusted publishing
- Add release-plz v0.3.155 to mise tooling configuration
- Update release process documentation to describe the two-tool automation pipeline
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
release-plz.toml |
Configuration for release-plz: delegates GitHub Releases to cargo-dist, enables semver checks and git tagging |
.github/workflows/release-plz.yml |
Workflow with two jobs: one to create/update release PRs, one to publish to crates.io on merge |
mise.toml |
Adds release-plz v0.3.155 to development tooling |
mise.lock |
Lock file update for release-plz tool |
docs/src/release-process.md |
Updated documentation explaining the release-plz + cargo-dist automation pipeline |
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | ||
| with: |
There was a problem hiding this comment.
GitHub Actions should be pinned to full commit SHA hashes with version comments for security, following the repository's established pattern. The release-plz/action@v0.5 reference should be pinned to a specific commit SHA with a version comment (e.g., release-plz/action@<commit-sha> # v0.5).
| fetch-depth: 0 | ||
| # persist-credentials required for pushing signed tags via git CLI | ||
| persist-credentials: true | ||
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 |
There was a problem hiding this comment.
GitHub Actions should be pinned to full commit SHA hashes with version comments for security, following the repository's established pattern. The dtolnay/rust-toolchain@stable reference should be pinned to a specific commit SHA. Based on the CI workflow, consider using dtolnay/rust-toolchain@0dd4a6d07aedb0ef7f65e79f3e229a6c102ae2e0 # 1.91.0 or update to a newer pinned version if needed.
| persist-credentials: true | ||
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | ||
| with: | ||
| install: true |
There was a problem hiding this comment.
GitHub Actions should be pinned to full commit SHA hashes with version comments for security, following the repository's established pattern. The release-plz/action@v0.5 reference should be pinned to a specific commit SHA with a version comment (e.g., release-plz/action@<commit-sha> # v0.5).
| concurrency: | ||
| group: release-plz-${{ github.ref }} | ||
| cancel-in-progress: false | ||
| steps: |
There was a problem hiding this comment.
GitHub Actions should be pinned to full commit SHA hashes with version comments for security, following the repository's established pattern. The actions/checkout@v6 reference should be pinned to actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 to match the rest of the codebase and prevent potential supply chain attacks.
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false |
There was a problem hiding this comment.
GitHub Actions should be pinned to full commit SHA hashes with version comments for security, following the repository's established pattern. The dtolnay/rust-toolchain@stable reference should be pinned to a specific commit SHA. Based on the CI workflow, consider using dtolnay/rust-toolchain@0dd4a6d07aedb0ef7f65e79f3e229a6c102ae2e0 # 1.91.0 or update to a newer pinned version if needed.
Add a ci-pass job that acts as a single required status check.
It passes when all CI jobs succeed OR when they are skipped due to
path filtering (no Rust changes). This allows setting one required
check ("CI") in branch protection instead of listing every job.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Pin actions/checkout and release-plz/action to full commit SHAs with version comments, matching the established pattern across all other workflows in this repository. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
coderabbitai
Bot
added
enhancement
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Summary
cargo publishvia OIDC trusted publishing (no token secret needed)New files
release-plz.toml-- delegates GitHub Releases to cargo-dist, enables semver-checks.github/workflows/release-plz.yml-- official quickstart pattern with trusted publishingSetup required after merge
cargo publishonce to create the crate on crates.ioTest plan