Skip to content

Publish workspace crates through trusted publishing#36

Open
dahlia wants to merge 4 commits into
fedify-dev:mainfrom
dahlia:ci/publish
Open

Publish workspace crates through trusted publishing#36
dahlia wants to merge 4 commits into
fedify-dev:mainfrom
dahlia:ci/publish

Conversation

@dahlia

@dahlia dahlia commented Jul 5, 2026

Copy link
Copy Markdown
Member

This prepares Feder for crates.io publishing without making the release path depend on a long-lived registry token. The new publish job runs only after the existing check and test jobs pass, asks crates.io for a short-lived token through GitHub OIDC, and publishes the whole Cargo workspace in one step.

The workflow treats tags and branch pushes differently because they answer different questions. A tag is a release claim, so the tag name must match Cargo.toml's workspace version exactly before anything is uploaded. A branch push is a preview artifact, so the workflow derives a pre-release version from the checked-in workspace version, the GitHub run number, and the short commit hash.

The version rewriting lives behind mise run publish-version instead of being spelled out inside .github/workflows/main.yaml. That keeps the workflow focused on deciding which version should be published, while the manifest restamping stays in the same task surface used by local release work. The task is written in Nushell so it can run consistently on Windows as well as Unix-like systems.

The workspace crate dependencies now live in the root Cargo.toml and member crates refer to them with *.workspace = true. This mirrors the release model: workspace members are developed through local paths, but published crates still need version requirements for their internal dependencies. Keeping those requirements in one table gives cargo-release and the CI restamp task a single place to update.

The package metadata was filled in at the same time because trusted publishing only solves authentication. crates.io still needs each package to describe itself clearly, so the crate manifests now inherit the shared author, homepage, and repository fields and carry crate-specific descriptions.

Summary by CodeRabbit

  • New Features

    • Added workspace-wide versioning and release automation for Rust crates.
    • Expanded CI to run checks and tests across the full workspace.
    • Added tasks for previewing, applying, and publishing version updates.
  • Bug Fixes

    • Standardized package metadata and dependency declarations to reduce versioning and publishing issues.
    • Improved publish safeguards to avoid releasing mismatched or duplicate versions.

dahlia added 3 commits July 5, 2026 23:44
Share mise setup across CI jobs and run the platform test matrix
through the mise test task.

Assisted-by: Codex:gpt-5.5
Publish workspace crates after check and test pass, deriving stable tag
versions from Cargo.toml and CI pre-release versions from the GitHub run
number and commit hash.

Centralize workspace crate dependency versions so release bumps and CI
publish restamping keep package versions aligned.

Assisted-by: Codex:gpt-5.5
@dahlia dahlia requested a review from sij411 July 5, 2026 15:53
@dahlia dahlia added the enhancement New feature or request label Jul 5, 2026
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@dahlia, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 50 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3dfa3496-a946-46c2-b877-3183a4a5ae1c

📥 Commits

Reviewing files that changed from the base of the PR and between 0c96c1b and a5e85fc.

📒 Files selected for processing (1)
  • .github/workflows/main.yaml
📝 Walkthrough

Walkthrough

This PR consolidates Rust workspace package metadata and internal dependency declarations under [workspace.package]/[workspace.dependencies], updates crate manifests to reference them via workspace = true, adds mise.toml tasks for version bumping and publishing, and refactors the CI workflow with shared YAML anchors and a version-aware publish job.

Changes

Workspace and crate manifest consolidation

Layer / File(s) Summary
Workspace package metadata and dependency declarations
Cargo.toml
Adds authors, homepage, repository to [workspace.package] and declares feder-core, feder-runtime-server, feder-vocab with pinned versions and paths under [workspace.dependencies].
Crate manifests adopt workspace-managed metadata and dependencies
crates/feder-core/Cargo.toml, crates/feder-runtime-server/Cargo.toml, crates/feder-vocab/Cargo.toml
Each crate manifest adds a description and switches authors, license, homepage, repository, and internal crate dependencies to *.workspace = true, removing explicit path dependencies.

Mise Tasks and CI Publish Pipeline

Layer / File(s) Summary
Mise task automation for versioning and testing
mise.toml
Bumps the pinned hongdown tool version, changes [tasks.test] to run cargo test --workspace, and adds bump, bump-execute, and publish-version tasks, the latter using a Nushell script to restamp workspace and dependency versions in Cargo.toml.
CI workflow refactor with shared anchors and publish versioning
.github/workflows/main.yaml
Introduces reusable YAML anchors for caching Rust toolchains and mise setup used by check and test jobs, and updates the publish job to compute/validate a publish version from tag or branch context, conditionally skip, apply the version via mise run publish-version, authenticate via crates-io-auth-action, and run cargo publish --workspace --allow-dirty.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • fedify-dev/feder#12: Continues the workspace migration by updating root and feder-core/feder-vocab manifests to workspace-managed metadata and dependencies.
  • fedify-dev/feder#28: Builds on the creation of feder-runtime-server, whose manifest is now updated to use workspace-managed metadata and dependency wiring.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main change: publishing the workspace crates via trusted publishing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yaml:
- Line 51: The publish checkout in the workflow is persisting git credentials
unnecessarily, which can leak the GITHUB_TOKEN into later steps. Update the
`actions/checkout` usage in the publish job to disable credential persistence by
setting `persist-credentials: false`, so the checkout step only prepares the
source and does not retain auth beyond `crates-io-auth-action`.
- Around line 41-74: The publish job in the main workflow is too broadly
triggered on push events, so it can run the publish-version path for every
branch push and consume immutable crates.io versions. Update the workflow around
the publish job’s trigger/guard logic so publishing only happens for release
branches or tags, or add a stricter branch check alongside the existing
github.event_name and version handling in the publish step.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db98f466-798f-4e72-b201-1e02999b925b

📥 Commits

Reviewing files that changed from the base of the PR and between 469982a and 0c96c1b.

📒 Files selected for processing (6)
  • .github/workflows/main.yaml
  • Cargo.toml
  • crates/feder-core/Cargo.toml
  • crates/feder-runtime-server/Cargo.toml
  • crates/feder-vocab/Cargo.toml
  • mise.toml

Comment thread .github/workflows/main.yaml
Comment thread .github/workflows/main.yaml
The publish job authenticates to crates.io with OIDC, so checkout does not
need to keep the GitHub token in the local git config for later steps.

fedify-dev#36 (comment)

Assisted-by: Codex:gpt-5.5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants