ci: auto-publish relayburn-sdk + relayburn-cli to crates.io in lockstep with npm#353
Merged
willwashburn merged 2 commits intomainfrom May 7, 2026
Merged
ci: auto-publish relayburn-sdk + relayburn-cli to crates.io in lockstep with npm#353willwashburn merged 2 commits intomainfrom
willwashburn merged 2 commits intomainfrom
Conversation
…ep with npm Extends `.github/workflows/publish.yml` to ship the two Rust crates alongside the eight npm packages on every workflow_dispatch publish run, using crates.io OIDC trusted publishing (no long-lived token, mirrors the existing npm flow). Workflow changes: - Adds a `cargo build --workspace --all-targets` + `cargo test --workspace` gate after the npm build/test so a Rust regression aborts the run before any publish side-effects. - Bump step rewrites `[workspace.package].version` and the `relayburn-sdk` MAJOR.MINOR pin in the cli + sdk-node Cargo.toml files to the new lockstep version, then `cargo update --workspace` refreshes Cargo.lock. - Inserts an OIDC token mint (`rust-lang/crates-io-auth-action@v1`) and `cargo publish` for sdk → cli before the npm pack+publish, with sparse-index polling between them and idempotent gates that skip versions already on crates.io so partial-failure re-runs work. - Tag step adds annotated `relayburn-sdk-v<ver>` / `relayburn-cli-v<ver>` tags alongside the existing npm package tags. - Summary step lists the cargo crates published. Pre-bump bootstrap (one-time alignment): - Workspace `Cargo.toml` version 0.0.0 → 1.10.0 to match current npm lockstep. - relayburn-cli + relayburn-sdk-node `relayburn-sdk` dep version constraint 0.0 → 1.10 (caret = >=1.10.0, <2.0.0). - Cargo.lock refreshed accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds Rust workspace version bump and updates internal crate dependency versions; integrates Rust build/test gating, Rust version sync during npm bump, crates.io publishing via GitHub OIDC (with sparse-index checks and polling), crate-specific git tags, and workflow summary updates — all in the publish GitHub Actions workflow. ChangesRust Package Publishing Integration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~30 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/publish.yml (1)
88-95: 💤 Low value
clippycomponent is installed but never executed.The workflow adds
clippyas a component but only runscargo buildandcargo test. If lint gates are intended, addcargo clippy --workspace --all-targets -- -D warnings. If clippy isn't needed, remove it from the component list to reduce setup time.Option A: Run clippy (if lint gates are intended)
- name: Cargo build + test run: | cargo build --workspace --all-targets + cargo clippy --workspace --all-targets -- -D warnings cargo test --workspaceOption B: Remove unused component
- name: Setup Rust toolchain run: | rustup toolchain install - rustup component add rustfmt clippy + rustup component add rustfmt🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish.yml around lines 88 - 95, The workflow installs the "clippy" component but never runs it; either run Clippy as part of the job by adding a step that invokes "cargo clippy --workspace --all-targets -- -D warnings" (so lint failures fail the job) after the existing "cargo build + test" steps, or remove "clippy" from the "rustup component add rustfmt clippy" line to avoid installing an unused component; update the job to reference the same workspace invocation style as "cargo build" and "cargo test".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 595-608: The workflow mints the crates.io token only when dry_run
!= 'true', but the subsequent "Cargo publish (sdk → cli)" step requires
CARGO_REGISTRY_TOKEN even for --dry-run; update the workflow so the OIDC token
minting step (id: cargo-auth, uses: rust-lang/crates-io-auth-action@v1) runs
unconditionally (remove the if: condition) or ensure a token is supplied for dry
runs (set CARGO_REGISTRY_TOKEN from a repo/secret or a conditional step) so the
"Cargo publish (sdk → cli)" step always has CARGO_REGISTRY_TOKEN available.
- Around line 623-635: The polling loop that checks the crates.io sparse index
for relayburn-sdk@$VER can silently time out and allow the publish to continue;
modify the block around the for loop (the code that uses DRY, sdk_published, VER
and the for i in $(seq 1 30) loop) to detect whether the grep ever succeeded
and, if not, print a clear error like "relayburn-sdk@$VER not visible in index
after 30 attempts" and exit non‑zero (exit 1) so the workflow fails fast;
implement this by setting a local flag (e.g., found=0 set to 1 when grep
matches) or by checking the loop exit status and then echoing the message and
exiting when the version was not found.
---
Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 88-95: The workflow installs the "clippy" component but never runs
it; either run Clippy as part of the job by adding a step that invokes "cargo
clippy --workspace --all-targets -- -D warnings" (so lint failures fail the job)
after the existing "cargo build + test" steps, or remove "clippy" from the
"rustup component add rustfmt clippy" line to avoid installing an unused
component; update the job to reference the same workspace invocation style as
"cargo build" and "cargo test".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5b614fd5-e8a4-406d-89c4-495b60adfdb2
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (4)
.github/workflows/publish.ymlCargo.tomlcrates/relayburn-cli/Cargo.tomlcrates/relayburn-sdk-node/Cargo.toml
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 239794d85f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+596
to
+598
| if: ${{ github.event.inputs.dry_run != 'true' }} | ||
| id: cargo-auth | ||
| uses: rust-lang/crates-io-auth-action@v1 |
There was a problem hiding this comment.
The workflow skips Mint crates.io token via OIDC when dry_run=true, but the next step still executes cargo publish --dry-run in Cargo publish (sdk → cli). In this context, dry-run releases will fail in the Rust publish phase because cargo publish requires registry authentication even when running checks only, so the advertised dry-run preflight path cannot complete. Gate the publish step consistently or mint the token for dry-runs as well.
Useful? React with 👍 / 👎.
- Drop the redundant `rustup component add rustfmt clippy` line —
rust-toolchain.toml already lists those components, so `rustup
toolchain install` installs them on its own. Saves setup time and
removes the false signal that publish.yml was going to run clippy
(it doesn't; ci.yml doesn't either).
- Always mint the crates.io OIDC token, including on `dry_run: true`.
Two reasons:
1. `cargo publish --dry-run` requires registry auth on some cargo
versions, so passing a real token avoids version-dependent
surprises on the runner.
2. Running the OIDC exchange on every dry run validates that the
crates.io trusted-publisher registration is healthy — the whole
point of running a dry run before a real release.
- Make the sparse-index polling loop fail loudly on timeout. If
relayburn-sdk@$VER never appears within 30 attempts (5 min), exit
non-zero with a clear error annotation instead of falling through
to the CLI publish — a "missing dep" cargo error there is harder
to diagnose than an explicit timeout.
Flagged by CodeRabbit + Codex on PR #353.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/publish.ymlso eachworkflow_dispatchpublish run also shipsrelayburn-sdkandrelayburn-clito crates.io, using OIDC trusted publishing (no long-livedCARGO_REGISTRY_TOKEN).[workspace.package].versionand the cli/sdk-noderelayburn-sdkMAJOR.MINOR dep pin, refreshesCargo.lock, and stages all Rust files alongside the npm version commit.version: none.relayburn-sdk-v<ver>/relayburn-cli-v<ver>tags (therelayburn-prefix disambiguates them from the existing npmsdk-v…/cli-v…tags).Pre-bump bootstrap (one-time alignment)
This PR aligns the Rust workspace with the current npm lockstep version:
Cargo.toml: workspace version0.0.0→1.10.0.crates/relayburn-cli/Cargo.toml+crates/relayburn-sdk-node/Cargo.toml:relayburn-sdkdep version constraint0.0→1.10(caret =>=1.10.0, <2.0.0).Cargo.lockrefreshed.Required maintainer steps before the first auto-publish run
The workflow can't mint OIDC tokens until trusted publishing is configured on crates.io. After this PR merges:
cargo publish -p relayburn-sdkhttps://index.crates.io/re/la/relayburn-sdkfor1.10.0).cargo publish -p relayburn-cliAgentWorkforce/burn, workflow filename:publish.yml, environment: empty.After bootstrap, the next
workflow_dispatchrun withversion: patchwill land1.10.1everywhere in lockstep.Risks + mitigations
index.crates.io/re/la/relayburn-sdkfor the new version with timeoutdry_run: truevalidates the OIDC exchange without publishingcargo build/teststep gates the whole job; npm doesn't ship if Rust is redTest plan
cargo build --workspace && cargo test --workspacepasses on the bumped workspace.workflow_dispatchwithdry_run: true,version: patchto verify:cargo build/testpass on the runner.Cargo.tomlworkspace version +crates/relayburn-{cli,sdk-node}/Cargo.tomlSDK constraints (visible in step log).rust-lang/crates-io-auth-action@v1exchanges OIDC successfully.cargo publish --dry-run -p relayburn-sdkand-p relayburn-clisucceed.relayburn-sdk-v1.10.1andrelayburn-cli-v1.10.1appear;cargo install relayburn-clifrom a clean machine works.🤖 Generated with Claude Code