chore: release workflow resolves #60

[devjow]

Summary by CodeRabbit

• Chores
  • Hardened CI by pinning external workflow actions to fixed revisions.
  • Added dependency security and license compliance configuration to enforce advisories, license policies, and version checks.
• New Features
  • Added an automated release workflow that validates version tags, builds cross-platform binaries, packages artifacts with checksums, creates GitHub releases, and publishes crates with retries and verification.

[coderabbitai]

📝 Walkthrough

Walkthrough

Pins GitHub Actions steps to exact commit hashes across CI, adds a tag-triggered release workflow that validates, builds, releases, and publishes crates, and introduces a cargo-deny configuration for dependency and license policy checks.

Changes

Cohort / File(s)	Summary
CI Action Pinning .github/workflows/ci.yml	Replaces generic action refs (e.g., @v4, @stable, @v2) with specific commit-hash pinned refs across checkout, toolchain, caching, sccache, codecov/upload, setup-python, and similar steps in multiple jobs.
Release Workflow .github/workflows/release.yml	Adds a new release workflow (trigger: vX.Y.Z tags) with jobs: validate (tag/manifest checks, cargo-deny), build-binaries (matrix builds, cross-builds, packaging), github-release (assembly, checksums, release creation), and publish-crates (ordered publish with retries and visibility checks).
Dependency Policy deny.toml	Adds a cargo-deny configuration: advisories, license allowlist, multiple-version handling, source policies, and scaffolds for per-crate exceptions and registry/git allowances.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Dev (tag push)
    participant GHA as GitHub Actions
    participant Build as Build/Toolchain
    participant Artifacts as Artifact Storage
    participant GitHub as GitHub Releases
    participant Crates as crates.io API

    Dev->>GHA: Push tag (vX.Y.Z)
    GHA->>GHA: validate: check tag format, manifest versions, run cargo-deny
    GHA->>Build: build-binaries matrix (native & cross)
    Build->>Build: run smoke tests and package artifacts
    Build-->>Artifacts: upload artifacts per target
    GHA->>GHA: github-release: collect artifacts, generate checksums, source archives
    GHA->>GitHub: create release and attach artifacts
    GHA->>Crates: publish-crates: dry-run then publish in dependency order with retries
    Crates-->>GHA: confirm publish and visibility checks

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• Artifizer

Poem

🐰 I hopped through YAML, pins in paw,

Tags checked twice, no format flaw,
Builds that dance across each gate,
Binaries bundled — ship and wait,
Crates parade — release, then celebrate! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: release workflow resolves #60' clearly describes the main change: adding a release workflow. It is concise and directly relates to the substantial additions in .github/workflows/release.yml, deny.toml, and CI hardening.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 92-99: The current awk used to populate MATCHES captures the first
quoted string on a line, so inline entries like `path = "gts", version =
"1.2.3"` return the path instead of the version; update the awk expression
inside the for-loop that sets MATCHES to explicitly extract the value after the
`version` key (e.g., match the pattern `version\s*=\s*"([^"]+)"`) rather than
the first quoted string. Locate the awk block that runs between the workspace
marker checks (the code that assigns MATCHES) and replace the generic match($0,
/"([^"]+)"/, a) with a version-specific regex or gensub targeting `version=...`
so only the version string is printed. Ensure behavior for multi-line specs (the
existing found/ in_wsdeps logic) remains unchanged.
- Around line 158-165: The workflow uses an invalid runner label "macos-13" for
the x86_64-apple-darwin job; update the runner value to a supported Intel macOS
label (e.g., replace runner: macos-13 with runner: macos-15-intel or runner:
macos-14-large) for the x86_64-apple-darwin entry (the block containing target:
x86_64-apple-darwin, archive_ext: tar.gz, binary_name: gts, expected_arch:
x86_64), and ensure the aarch64-apple-darwin block uses an appropriate ARM
runner label (e.g., runner: macos-15) and adjust the inline verification comment
(the "verify with 'uname -m' ..." comment) if necessary to match the chosen
runner semantics.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd8ed5b and 69b96d9.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• deny.toml

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

deny.toml (1)

125-128: Consider hardening unknown-registry and unknown-git to "deny".

Using "warn" means an unapproved registry or git source won't block the build — a dependency quietly pulled from an untrusted source would pass the policy check with only a log line. For a release gate, "deny" gives a stronger supply-chain guarantee.

🛡️ Proposed hardening

-unknown-registry = "warn"
-unknown-git = "warn"
+unknown-registry = "deny"
+unknown-git = "deny"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deny.toml` around lines 125 - 128, Update the deny policy entries for unknown
sources by changing the values of unknown-registry and unknown-git from "warn"
to "deny" in the deny.toml so that unapproved registries and git sources are
blocked; locate the keys unknown-registry and unknown-git and replace their
assigned strings with "deny", then re-run the policy validation or CI that uses
deny.toml to confirm the stricter policy is applied.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 117-119: The workflow writes an empty rust-version when Cargo.toml
lacks that field; after computing RUST_VER from Cargo.toml (the RUST_VER
variable in the diff) add a guard to detect an empty value and set a safe
default (e.g., RUST_VER="${EXPECTED}" or "stable") or skip writing rust-version
entirely, then write the non-empty RUST_VER to GITHUB_OUTPUT; update the block
that echoes "rust-version=${RUST_VER}" so the action never receives an empty
rust-version.

In `@deny.toml`:
- Line 29: The deny configuration contains the obsolete setting unmaintained =
"workspace" which is rejected by the pinned cargo-deny 0.16.1; either remove
that line so the default (stricter) behavior applies, or update the cargo-deny
pin to >= 0.18.2 so the unmaintained = "workspace" scope is supported—locate the
unmaintained = "workspace" entry and either delete it or change the project's
cargo-deny version constraint to 0.18.2 or newer.

---

Nitpick comments:
In `@deny.toml`:
- Around line 125-128: Update the deny policy entries for unknown sources by
changing the values of unknown-registry and unknown-git from "warn" to "deny" in
the deny.toml so that unapproved registries and git sources are blocked; locate
the keys unknown-registry and unknown-git and replace their assigned strings
with "deny", then re-run the policy validation or CI that uses deny.toml to
confirm the stricter policy is applied.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 69b96d9 and 8de38d5.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• deny.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 157-159: CI step currently installs a floating cargo-deny version
(tool: cargo-deny) which can diverge from the pinned release version; update the
workflow to pin the same cargo-deny release used in release gates by changing
the tool input to include the version (e.g. replace tool: cargo-deny with tool:
cargo-deny@0.16.1) so the taiki-e/install-action call installs the exact 0.16.1
binary and yields consistent deny.toml checks.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8de38d5 and aad1b74.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• deny.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n 'tool:\s*cargo-deny' .github/workflows/ci.yml .github/workflows/release.yml

Repository: GlobalTypeSystem/gts-rust

Length of output: 230

---

Pin cargo-deny version in CI to match release workflow.

This job uses a floating cargo-deny version, while release intentionally pins to cargo-deny@0.16.1. Running different versions against the same deny.toml can produce inconsistent security and licensing check results between CI and release gates.

🔧 Proposed fix

       - name: Install cargo-deny
         uses: taiki-e/install-action@30eab0fabba9ea3f522099957e668b21876aa39e # v2.66.6
         with:
-          tool: cargo-deny
+          tool: cargo-deny@0.16.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: taiki-e/install-action@30eab0fabba9ea3f522099957e668b21876aa39e # v2.66.6
	with:
	tool: cargo-deny
	uses: taiki-e/install-action@30eab0fabba9ea3f522099957e668b21876aa39e # v2.66.6
	with:
	tool: cargo-deny@0.16.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 157 - 159, CI step currently installs
a floating cargo-deny version (tool: cargo-deny) which can diverge from the
pinned release version; update the workflow to pin the same cargo-deny release
used in release gates by changing the tool input to include the version (e.g.
replace tool: cargo-deny with tool: cargo-deny@0.16.1) so the
taiki-e/install-action call installs the exact 0.16.1 binary and yields
consistent deny.toml checks.