ci: automate crates.io publishing via trusted publishing#14
Conversation
Upgrades publish.yml to actually publish all workspace crates to crates.io on each release, rather than only creating a GitHub release. Changes: - Adds `id-token: write` permission to the publish job so crates.io trusted publishing can mint a short-lived API token via OIDC. - Authenticates via `rust-lang/crates-io-auth-action` (pinned by SHA to v1.0.4), relying on the trusted publisher configuration set up on crates.io for `fg-sra-vdb-sys`, `fg-sra-vdb`, and `fg-sra`. No long-lived `CARGO_REGISTRY_TOKEN` secret is required. - Verifies all workspace crates are at the same version (lockstep) before publishing, matching the refget-rs pattern. - Publishes the three crates in dependency order: fg-sra-vdb-sys -> fg-sra-vdb -> fg-sra. Each publish is idempotent (skipped if the version already exists on crates.io), so re-runs on the same main commit are safe. - Uses `--no-verify` on all publishes as a temporary workaround: the vendored ncbi-vdb submodule lives at the workspace root rather than inside the fg-sra-vdb-sys crate directory, so cargo's verification build cannot find its source. A follow-up will either relocate the submodule, switch to dynamic linking against a system ncbi-vdb, or drop the `vendored` feature from the published crates. The release-pr job is unchanged.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related issues
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
1 participant
Summary
publish.ymlto actually publish all workspace crates to crates.io on each release, rather than only creating a GitHub release.id-token: writeon the publish job and authenticates viarust-lang/crates-io-auth-action(pinned to v1.0.4) using the Trusted Publishing config already set up on crates.io forfg-sra-vdb-sys,fg-sra-vdb, andfg-sra. No long-livedCARGO_REGISTRY_TOKENsecret is needed.fg-sra-vdb-sys → fg-sra-vdb → fg-sra. Each publish is idempotent (skipped if the version already exists on crates.io) so re-running on the samemaincommit is safe.refget-rspublish.yml).Known limitation:
--no-verifyAll three
cargo publishcalls use--no-verify. This is a temporary workaround, tracked in #15, and is not the intended long-term shape of the workflow.Short version: the vendored
ncbi-vdbsubmodule lives at the workspace root, so it is not included in thefg-sra-vdb-systarball, so cargo's verification build (and downstreamcargo install) cannot find the source. v0.1.0 was manually published with--no-verifypurely to park the three crate names. See #15 for root causes and the options under consideration (relocate the submodule, copy-to-OUT_DIRin build.rs, drop thevendoredfeature, etc.).Once #15 is resolved,
--no-verifyshould be removed from this workflow as part of that change.Test plan
Check and Test) passes on this PRrelease-plzv0.1.1 PR) triggerspublish.ymland successfully publishes v0.1.1 of all three crates to crates.io via trusted publishingSummary by CodeRabbit