Publish workspace crates through trusted publishing#36
Conversation
Share mise setup across CI jobs and run the platform test matrix through the mise test task. Assisted-by: Codex:gpt-5.5
Publish workspace crates after check and test pass, deriving stable tag versions from Cargo.toml and CI pre-release versions from the GitHub run number and commit hash. Centralize workspace crate dependency versions so release bumps and CI publish restamping keep package versions aligned. Assisted-by: Codex:gpt-5.5
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR consolidates Rust workspace package metadata and internal dependency declarations under ChangesWorkspace and crate manifest consolidation
Mise Tasks and CI Publish Pipeline
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/main.yaml:
- Line 51: The publish checkout in the workflow is persisting git credentials
unnecessarily, which can leak the GITHUB_TOKEN into later steps. Update the
`actions/checkout` usage in the publish job to disable credential persistence by
setting `persist-credentials: false`, so the checkout step only prepares the
source and does not retain auth beyond `crates-io-auth-action`.
- Around line 41-74: The publish job in the main workflow is too broadly
triggered on push events, so it can run the publish-version path for every
branch push and consume immutable crates.io versions. Update the workflow around
the publish job’s trigger/guard logic so publishing only happens for release
branches or tags, or add a stricter branch check alongside the existing
github.event_name and version handling in the publish step.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: db98f466-798f-4e72-b201-1e02999b925b
📒 Files selected for processing (6)
.github/workflows/main.yamlCargo.tomlcrates/feder-core/Cargo.tomlcrates/feder-runtime-server/Cargo.tomlcrates/feder-vocab/Cargo.tomlmise.toml
The publish job authenticates to crates.io with OIDC, so checkout does not need to keep the GitHub token in the local git config for later steps. fedify-dev#36 (comment) Assisted-by: Codex:gpt-5.5
This prepares Feder for crates.io publishing without making the release path depend on a long-lived registry token. The new publish job runs only after the existing check and test jobs pass, asks crates.io for a short-lived token through GitHub OIDC, and publishes the whole Cargo workspace in one step.
The workflow treats tags and branch pushes differently because they answer different questions. A tag is a release claim, so the tag name must match Cargo.toml's workspace version exactly before anything is uploaded. A branch push is a preview artifact, so the workflow derives a pre-release version from the checked-in workspace version, the GitHub run number, and the short commit hash.
The version rewriting lives behind
mise run publish-versioninstead of being spelled out inside .github/workflows/main.yaml. That keeps the workflow focused on deciding which version should be published, while the manifest restamping stays in the same task surface used by local release work. The task is written in Nushell so it can run consistently on Windows as well as Unix-like systems.The workspace crate dependencies now live in the root Cargo.toml and member crates refer to them with
*.workspace = true. This mirrors the release model: workspace members are developed through local paths, but published crates still need version requirements for their internal dependencies. Keeping those requirements in one table givescargo-releaseand the CI restamp task a single place to update.The package metadata was filled in at the same time because trusted publishing only solves authentication. crates.io still needs each package to describe itself clearly, so the crate manifests now inherit the shared author, homepage, and repository fields and carry crate-specific descriptions.
Summary by CodeRabbit
New Features
Bug Fixes