ci(release): automate GitHub releases from Cargo.toml version bumps

[timcogan]

Summary by CodeRabbit

• Chores
  • Release automation now runs on version-bump commits to main/master, supports manual reruns, and reserves/releases the corresponding vX.Y.Z automatically; checkout depth updated to enable version change detection.
  • Added scheduled Dependabot updates for the Rust toolchain.
• CI
  • New version-check job enforces strict X.Y.Z package version format; CI now pins the Rust toolchain.
• Documentation
  • RELEASE.md updated with version-bump-driven release instructions.
• Refactor
  • Minor internal URI parsing cleanup (no behavior change).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 805ba4e5-664a-4c36-aa9f-071df7776d13

📥 Commits

Reviewing files that changed from the base of the PR and between 6dd39ab and 2b09ad4.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

The PR replaces a tag-driven release workflow with a version-bump-driven automation that validates strict X.Y.Z in Cargo.toml, computes vX.Y.Z, checks GitHub Releases/tags, and conditionally runs cargo-dist publish steps. It also adds a CI version check and pinned toolchain, a Dependabot entry, documentation updates, and a small parse_perspecta_uri refactor.

Changes

Cohort / File(s)	Summary
Release workflow .github/workflows/release.yml	Switches triggers to push (filtered to Cargo.toml/dist-workspace.toml) and workflow_dispatch; adds release_meta step to parse/validate Cargo.toml (strict X.Y.Z), derive v<version>, determine publishing by checking Releases/tags and prior version, changes plan outputs/control flow, uses full checkout (fetch-depth: 0), and renames downstream output to tag_flag.
CI checks & toolchain .github/workflows/ci.yml, rust-toolchain.toml	Adds version job that extracts/validates package.version (must match X.Y.Z), makes rust and gitleaks depend on it; pins dtolnay rust-toolchain action to @1.95.0; adds rust-toolchain.toml pinning channel 1.95.0 with clippy and rustfmt.
Dependabot config .github/dependabot.yml	Adds Dependabot entry for rust-toolchain at repo root with a weekly schedule, open PR limit, assignee, and chore-style commit message format.
Docs RELEASE.md	Replaces manual tag-driven instructions with version-bump-driven flow: advise pushing version commit to main/master, describe automatic detection and creation of vX.Y.Z release/tag, note strict X.Y.Z requirement and workflow_dispatch rerun option.
Small refactor src/launch.rs	Refactors parse_perspecta_uri match arms to use pattern guards for non-empty decoded query values, collapsing prior inner emptiness checks while preserving behavior.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer (push/PR)
    participant Actions as GitHub Actions (release.yml)
    participant Repo as Git Repository
    participant GH as GitHub Releases API
    participant Dist as cargo-dist
    rect rgba(100,150,250,0.5)
    Dev->>Repo: push commit or open PR (Cargo.toml change?)
    end
    Actions->>Actions: release_meta: read Cargo.toml → version "X.Y.Z", tag "vX.Y.Z"
    Actions->>GH: query Releases/tags for "vX.Y.Z"
    alt tag exists OR no version bump
        GH-->>Actions: tag found (published/draft)
        Actions->>Actions: set publishing=false
        Actions->>Dist: run `dist plan` (no publish)
    else new version & tag not published
        GH-->>Actions: tag not found
        Actions->>Actions: set publishing=true
        Actions->>Dist: run `dist host --steps=create --tag="vX.Y.Z"` (publish)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore(release): v0.5.0 #72: Cargo.toml version bump (e.g., 0.4.0 → 0.5.0) that would trigger the new version-bump-driven release flow.
• Add release workflow #6: Prior changes to the release workflow; modifies similar .github/workflows/release.yml logic.
• chore(release): v0.4.0 #55: Another Cargo.toml version bump that the updated workflow is designed to detect and act upon.

Poem

🐰 I nibbled at Cargo.toml tonight,
Bumped the numbers till they gleamed so bright.
CI sniffed the change and hummed with delight,
Made vX.Y.Z and sent it into flight.
Hooray — automated hops, no late-night bite! 🎉

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided. The author left the description empty, failing to explain changes, testing performed, or fulfill template requirements.	Add a comprehensive pull request description following the template: include a Summary section explaining the automation workflow changes, a Testing section with results from the listed make commands and any manual testing, and confirm the Checklist items were completed.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main objective: automating GitHub releases based on Cargo.toml version bumps, which aligns with the substantial workflow and documentation changes across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/auto-release-from-cargo-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 12-16: The workflow currently only triggers on pushes to branches:
main/master with a paths filter for Cargo.toml which prevents retrying a failed
release for the same version; update .github/workflows/release.yml to remove or
relax the paths: - Cargo.toml restriction and add an explicit workflow_dispatch
trigger (and/or push:on: tags) so you can re-run or re-trigger the release
without a version bump, and ensure any existing guard logic that compares
github.event.before to the new version is adjusted to allow manual re-run
(references: branches, paths, Cargo.toml, workflow_dispatch).
- Around line 63-80: The release version format check currently runs only on
push (using EVENT_NAME, BEFORE_SHA, previous_version and current_version), so
add the same X.Y.Z validation as an earlier CI step that runs on pull_request
(or include it in existing PR workflows) to reject non-semver variants before
merge; implement this by extracting current_version from Cargo.toml and applying
the same regex check (^[0-9]+\.[0-9]+\.[0-9]+$) in a PR-checking job so PRs that
set versions like 1.2.3-rc.1 fail CI instead of only failing after merge.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3631e036-1761-4bcf-af6a-c77329a20680

📥 Commits

Reviewing files that changed from the base of the PR and between 9b53106 and d1cb3c9.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• RELEASE.md

[timcogan]

@coderabbitai

[coderabbitai]

@timcogan Sure! I'll start reviewing PR #80 right away.

---

🧠 Learnings used

Learnt from: CR
Repo: timcogan/perspecta PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-13T18:43:03.539Z
Learning: Applies to RELEASE.md : Consult `RELEASE.md` when a change affects release process, versioning, tags, or publishing workflow

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

33-37: Make Cargo.toml version parsing whitespace-tolerant to prevent brittle CI failures.

Current matching depends on exact formatting ([package] and version = ). A small formatting variation can cause false negatives.

Diff suggestion

-          current_version="$(
-            awk '
-              /^\[package\]$/ { in_package = 1; next }
-              /^\[/ { in_package = 0 }
-              in_package && /^version = / { print $3; exit }
-            ' Cargo.toml | tr -d '"'
-          )"
+          current_version="$(
+            awk '
+              /^[[:space:]]*\[package\][[:space:]]*$/ { in_package = 1; next }
+              /^[[:space:]]*\[/ { in_package = 0 }
+              in_package && /^[[:space:]]*version[[:space:]]*=/ {
+                if (match($0, /"([^"]+)"/, m)) { print m[1]; exit }
+              }
+            ' Cargo.toml
+          )"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 33 - 37, The AWK snippet that extracts
the version uses exact patterns (/^\[package\]$/, /^\[/, and /^version = /)
which are brittle; update the patterns to be whitespace-tolerant (e.g.,
/^\s*\[package\]\s*$/, /^\s*\[/, and /^\s*version\s*=\s*/) so the in_package
logic and the version match work with varying spacing, and keep the existing |
tr -d '"' to strip quotes after extraction (locate the awk block containing
in_package and the version match).

---

19-21: Gate downstream jobs on version to fail fast and save runners.

rust and gitleaks can still run even when version validation already failed.

Diff suggestion

   rust:
     name: Rust Checks
+    needs: version
     runs-on: ubuntu-latest
@@
   gitleaks:
     name: Secret Scan
+    needs: version
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 19 - 21, The CI currently lets
downstream jobs run even if the version job fails; update the workflow so
downstream jobs depend on the version job by adding an explicit dependency for
the failing-fast behavior: add needs: version (or conditional `if:
needs.version.result == 'success'`) to the rust and gitleaks jobs (and any other
jobs that should be gated) in .github/workflows/ci.yml so they only run when the
Version Checks job (job name `version`) succeeds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 33-37: The AWK snippet that extracts the version uses exact
patterns (/^\[package\]$/, /^\[/, and /^version = /) which are brittle; update
the patterns to be whitespace-tolerant (e.g., /^\s*\[package\]\s*$/, /^\s*\[/,
and /^\s*version\s*=\s*/) so the in_package logic and the version match work
with varying spacing, and keep the existing | tr -d '"' to strip quotes after
extraction (locate the awk block containing in_package and the version match).
- Around line 19-21: The CI currently lets downstream jobs run even if the
version job fails; update the workflow so downstream jobs depend on the version
job by adding an explicit dependency for the failing-fast behavior: add needs:
version (or conditional `if: needs.version.result == 'success'`) to the rust and
gitleaks jobs (and any other jobs that should be gated) in
.github/workflows/ci.yml so they only run when the Version Checks job (job name
`version`) succeeds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1897a984-dc4d-4814-93aa-f858073338ba

📥 Commits

Reviewing files that changed from the base of the PR and between d1cb3c9 and 6dd39ab.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml
• RELEASE.md
• rust-toolchain.toml
• src/launch.rs

✅ Files skipped from review due to trivial changes (3)

• rust-toolchain.toml
• .github/dependabot.yml
• src/launch.rs

🚧 Files skipped from review as they are similar to previous changes (2)

• RELEASE.md
• .github/workflows/release.yml

[timcogan]

@coderabbitai

[coderabbitai]

@timcogan Sure! I'll start reviewing PR #80 right away.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.