fix(ci): skip optional publish paths without credentials

[skulidropek]

Summary

• keeps issue #347 Rust browser module CI green when optional crates.io tokens are absent
• skips GitHub Pages deployment when repository Pages is not enabled
• preserves cargo fmt/check/test/clippy proof locally

Verification

• cargo fmt --all -- --check
• cargo check --all-features
• cargo test --all-features
• cargo clippy --all-targets --all-features -- -D warnings

Relates to ProverCoderAI/docker-git#347.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Improvements
  • Release workflow now conditionally publishes based on credential availability, with a warning step if credentials are missing.
  • GitHub Release creation is now conditional on successful crate publication.
  • Documentation deployment includes a prerequisite check for GitHub Pages configuration before proceeding.

Walkthrough

The release workflow now adds conditional checks before publishing artifacts. Crates.io publish steps in both release jobs require credential presence, GitHub Release creation depends on successful crate publication, and documentation deployment checks GitHub Pages availability before proceeding with the build and upload sequence.

Changes

Release Workflow Publishing Gates

Layer / File(s)	Summary
Auto-release Crates.io credential gating .github/workflows/release.yml (lines 354–431)	Crates.io publish is now guarded by CARGO_REGISTRY_TOKEN or CARGO_TOKEN; a warning step runs if the token is absent. GitHub Release creation is updated to depend on successful crate publication.
Manual-release Crates.io credential gating .github/workflows/release.yml (lines 500–577)	Crates.io publish is now guarded by credential presence with a warning fallback step. GitHub Release creation is narrowed to run only when crates publication succeeds or is confirmed as already published.
Deploy-docs GitHub Pages availability check .github/workflows/release.yml (lines 677–707)	A GitHub API check determines whether GitHub Pages is enabled for GitHub Actions. Documentation build, configuration, artifact upload, and deployment steps run only if Pages is available; otherwise they skip with a warning.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With tokens now checked and Pages confirmed,
The workflows grow cautious and well-informed.
Each step gates its turn on what's truly at hand—
A pragmatic dance across CI's vast land! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: conditionally skipping optional publish paths when credentials are absent.
Description check	✅ Passed	The description is directly related to the changeset, explaining how CI is kept green when optional credentials are absent and GitHub Pages is not enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-optional-release-credentials

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 513: The current GitHub Actions if condition requires
steps.publish-crate.outcome == 'success' which blocks continuing the release
when steps.version.outputs.already_released == 'true' and publishing was
intentionally skipped; update both if expressions referencing
steps.publish-crate.outcome (the ones that combine
steps.version.outputs.version_committed / already_released with
publish-crate.outcome) to allow a skipped publish as well (e.g., treat outcome
'skipped' or non-failure as acceptable) so the release can proceed when
already_released == 'true'.
- Line 698: Replace the mutable action tags with the provided immutable commit
SHAs: change uses: actions/configure-pages@v6 to uses:
actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d and change
uses: actions/upload-pages-artifact@v5 to uses:
actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9; update
every occurrence of the two action references in the workflow so the GitHub
Pages steps use the pinned SHAs instead of the major tags.
- Around line 682-690: The current curl check using `curl -fsS -H
"Authorization: Bearer ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json"
"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages"` masks auth/rate-limit and
other API errors as "disabled"; change it to capture the HTTP status (e.g.,
`curl -sS -o /dev/null -w "%{http_code}" ...`) and branch on the status: if 200
set `enabled=true` to `GITHUB_OUTPUT`, if 404 set `enabled=false` and emit the
existing warning, and for any other status emit an error message with the HTTP
code and fail the job (non-zero exit) so auth/rate-limit/transient problems
aren’t silently skipped; reference the `curl ...
"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages"`, `GITHUB_TOKEN`, and
`GITHUB_OUTPUT` variables when implementing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 23fe41b3-1817-4532-9fee-6727236cbe21

📥 Commits

Reviewing files that changed from the base of the PR and between c5a0b46 and f52f258.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Manual release gating blocks GitHub Release when crate is already published

Line 577 (and similarly Line 513) requires steps.publish-crate.outcome == 'success'. That prevents release continuation when already_released == 'true' and publish is intentionally skipped (e.g., no token). This diverges from the auto-release path behavior.

Suggested fix

-      - name: Wait for Crate availability on Crates.io
-        if: (steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true') && steps.publish-crate.outcome == 'success'
+      - name: Wait for Crate availability on Crates.io
+        if: (steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true') && (steps.version.outputs.already_released == 'true' || steps.publish-crate.outcome == 'success')
         run: rust-script scripts/wait-for-crate.rs --release-version "${{ steps.version.outputs.new_version }}"

-      - name: Create GitHub Release
-        if: (steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true') && steps.publish-crate.outcome == 'success'
+      - name: Create GitHub Release
+        if: (steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true') && (steps.version.outputs.already_released == 'true' || steps.publish-crate.outcome == 'success')

Also applies to: 577-577

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 513, The current GitHub Actions if
condition requires steps.publish-crate.outcome == 'success' which blocks
continuing the release when steps.version.outputs.already_released == 'true' and
publishing was intentionally skipped; update both if expressions referencing
steps.publish-crate.outcome (the ones that combine
steps.version.outputs.version_committed / already_released with
publish-crate.outcome) to allow a skipped publish as well (e.g., treat outcome
'skipped' or non-failure as acceptable) so the release can proceed when
already_released == 'true'.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pages check currently masks non-404 API failures as “disabled”

Line 682’s curl -fsS path collapses auth/rate-limit/transient API errors into a soft skip. That can silently suppress docs deployment on real failures.

Suggested fix

       - name: Check GitHub Pages configuration
         id: pages
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          if curl -fsS \
-            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages" >/dev/null; then
-            echo "enabled=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "enabled=false" >> "$GITHUB_OUTPUT"
-            echo "::warning::Skipping docs deploy because GitHub Pages is not enabled for GitHub Actions"
-          fi
+          status="$(curl -sS -o /dev/null -w "%{http_code}" \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages")"
+          if [ "$status" = "200" ]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          elif [ "$status" = "404" ]; then
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "::warning::Skipping docs deploy because GitHub Pages is not enabled for GitHub Actions"
+          else
+            echo "::error::Failed to verify GitHub Pages configuration (HTTP $status)"
+            exit 1
+          fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 682 - 690, The current curl check
using `curl -fsS -H "Authorization: Bearer ${GITHUB_TOKEN}" -H "Accept:
application/vnd.github+json"
"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages"` masks auth/rate-limit and
other API errors as "disabled"; change it to capture the HTTP status (e.g.,
`curl -sS -o /dev/null -w "%{http_code}" ...`) and branch on the status: if 200
set `enabled=true` to `GITHUB_OUTPUT`, if 404 set `enabled=false` and emit the
existing warning, and for any other status emit an error message with the HTTP
code and fail the job (non-zero exit) so auth/rate-limit/transient problems
aren’t silently skipped; reference the `curl ...
"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pages"`, `GITHUB_TOKEN`, and
`GITHUB_OUTPUT` variables when implementing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: resolve current SHAs behind the tags so you can pin them.
set -euo pipefail

for repo_tag in \
  "actions/configure-pages v6" \
  "actions/upload-pages-artifact v5"
do
  repo="${repo_tag% *}"
  tag="${repo_tag#* }"
  sha="$(gh api "repos/${repo}/git/ref/tags/${tag}" --jq '.object.sha')"
  echo "${repo}@${tag} -> ${sha}"
done

Repository: ProverCoderAI/rust-browser-connection

Length of output: 229

---

Pin GitHub Pages GitHub Actions to immutable commit SHAs (supply-chain integrity)

In .github/workflows/release.yml, mutable major tags are used:

• actions/configure-pages@v6 → 45bfe0192ca1faeb007ade9deae92b16b8254a0d
• actions/upload-pages-artifact@v5 → fc324d3547104276b827a68afc52ff2a11cc49c9

Replace:

uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d
uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9

🧰 Tools

🪛 zizmor (1.25.2)

[error] 698-698: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 698, Replace the mutable action tags
with the provided immutable commit SHAs: change uses: actions/configure-pages@v6
to uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d and
change uses: actions/upload-pages-artifact@v5 to uses:
actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9; update
every occurrence of the two action references in the workflow so the GitHub
Pages steps use the pinned SHAs instead of the major tags.