Problem
CI/CD has the basics in place, but production-facing release automation should be stricter about lockfiles, release provenance, stale-run cancellation, package validation, and dependency update hygiene.
Acceptance criteria
- CI uses locked Cargo operations and verifies the lockfile.
- PR concurrency cancels stale runs without cancelling main or release runs.
- Release publishing verifies tag provenance, package contents, tests, and dry-run before publishing.
- Dependabot is configured for GitHub Actions and Cargo updates.
- Local package validation mirrors release packaging enough to catch errors before Actions are queued.
Problem
CI/CD has the basics in place, but production-facing release automation should be stricter about lockfiles, release provenance, stale-run cancellation, package validation, and dependency update hygiene.
Acceptance criteria