From e5ccd8ce4d205f3ff471f20396777dc3e3e2d2dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20Bl=C3=B6cher?= Date: Fri, 5 Jun 2026 14:48:10 +0100 Subject: [PATCH] Add actions pipeline for trusted publishing to crates.io The pipeline is triggered by tags in the format we configured for `cargo-release`. It checks that the tag is on a commit that belongs to the main branch before publishing. --- .github/workflows/publish.yml | 50 +++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..b10a036 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,50 @@ +name: Publish to crates.io +permissions: + contents: read + id-token: write + +on: + push: + tags: + - "v*.*.*" + - "foundations-*-v*.*.*" + +defaults: + run: + shell: bash + +jobs: + publish: + name: Publish + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + submodules: "recursive" + + - name: Verify tag is on main + run: | + git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main + if ! git merge-base --is-ancestor "${GITHUB_REF_NAME}" origin/main; then + echo "Tag ${GITHUB_REF_NAME} is not reachable from origin/main. Refusing to publish." >&2 + exit 1 + fi + + - uses: rust-lang/crates-io-auth-action@v1 + id: auth + + - name: Publish crate + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} + run: | + semver='[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?' + + if [[ "${GITHUB_REF_NAME}" =~ ^v${semver}$ ]]; then + cargo publish -p foundations -p foundations-macros + elif [[ "${GITHUB_REF_NAME}" =~ ^(foundations-.+)-v${semver}$ ]]; then + cargo publish -p "${BASH_REMATCH[1]}" + else + echo "Unsupported release tag: ${GITHUB_REF_NAME}" >&2 + exit 1 + fi