feat: Add a workflow to publish the crate through OIDC token exchange#16
feat: Add a workflow to publish the crate through OIDC token exchange#16jasonz-dfinity wants to merge 2 commits intodfinity:mainfrom
Conversation
|
Dear @jasonz-dfinity, In order to potentially merge your code in this open-source repository and therefore proceed with your contribution, we need to have your approval on DFINITY's CLA. If you decide to agree with it, please visit this issue and read the instructions there. Once you have signed it, re-trigger the workflow on this PR to see if your code can be merged. — The DFINITY Foundation |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions release workflow to publish this Rust crate to crates.io using OIDC-based authentication.
Changes:
- Introduces a
release.publishedtriggered workflow for publishing to crates.io. - Adds crates.io auth via
rust-lang/crates-io-auth-actionand passes the issued token tocargo publish. - Adds a guard step to verify
Cargo.tomlversion matches the git tag version.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| publish-crate: | ||
| runs-on: ubuntu-latest | ||
| environment: release | ||
| permissions: |
There was a problem hiding this comment.
Job-level permissions only grants id-token: write, which removes default contents: read. actions/checkout typically needs contents: read to fetch the repository, so this workflow can fail with insufficient permissions. Add contents: read (and any other required scopes) alongside id-token: write.
| permissions: | |
| permissions: | |
| contents: read |
| - name: Verify version matches tag | ||
| run: | | ||
| CARGO_VERSION=$(grep -m1 '^version' Cargo.toml | sed 's/.*"\(.*\)".*/\1/') | ||
| TAG_VERSION=${GITHUB_REF#refs/tags/v} |
There was a problem hiding this comment.
TAG_VERSION=${GITHUB_REF#refs/tags/v} assumes tags are prefixed with v. If the tag is 1.1.1 (no v), TAG_VERSION becomes refs/tags/1.1.1 and the version check will always fail. Use GITHUB_REF_NAME/github.ref_name (or github.event.release.tag_name) and strip a leading v only if present.
| TAG_VERSION=${GITHUB_REF#refs/tags/v} | |
| TAG_VERSION="${GITHUB_REF_NAME#v}" |
| - name: Publish to crates.io | ||
| run: cargo publish |
There was a problem hiding this comment.
This workflow runs cargo publish without setting up a Rust toolchain. In this repo’s CI, Rust is installed explicitly via rustup, so publishing may be non-reproducible or break if the runner image changes. Add a Rust toolchain setup step (matching the version policy used in CI) before running cargo commands.
No description provided.