Skip to content

fix(ci): avoid release version bumps without cargo token #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skulidropek merged 1 commit into from
May 24, 2026
+15 −3
Merged

fix(ci): avoid release version bumps without cargo token #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,31 +323,43 @@ jobs:
- name: Configure git
run: rust-script scripts/git-config.rs

- name: Resolve Crates.io publish credentials
id: release-token
run: |
if [ -n "$CARGO_REGISTRY_TOKEN" ] || [ -n "$CARGO_TOKEN" ]; then
echo "enabled=true" >> "$GITHUB_OUTPUT"
else
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "::warning::Skipping automatic release because neither CARGO_REGISTRY_TOKEN nor CARGO_TOKEN is configured"
fi

- name: Determine bump type from changelog fragments
id: bump_type
if: steps.release-token.outputs.enabled == 'true'
run: rust-script scripts/get-bump-type.rs

- name: Check if version already released or no fragments
id: check
if: steps.release-token.outputs.enabled == 'true'
env:
HAS_FRAGMENTS: ${{ steps.bump_type.outputs.has_fragments }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: rust-script scripts/check-release-needed.rs

- name: Collect changelog and bump version
id: version
if: steps.check.outputs.should_release == 'true' && steps.check.outputs.skip_bump != 'true'
if: steps.release-token.outputs.enabled == 'true' && steps.check.outputs.should_release == 'true' && steps.check.outputs.skip_bump != 'true'
run: |
rust-script scripts/version-and-commit.rs \
--bump-type "${{ steps.bump_type.outputs.bump_type }}"

- name: Get current version
id: current_version
if: steps.check.outputs.should_release == 'true'
if: steps.release-token.outputs.enabled == 'true' && steps.check.outputs.should_release == 'true'
Comment on lines +338 to +358
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't gate the read-only release-state checks on the cargo token.

check-release-needed is what populates should_release / skip_bump, and that script only does public crates.io reads. With these guards, a version that is already on crates.io cannot recover missing GitHub Release or Docker artifacts when the cargo token is absent, because steps.check never runs and the rest of the completion path stays skipped. Keep the token gate on the mutating bump/publish steps, but let the state-detection steps continue to run.

Suggested workflow adjustment 
       - name: Determine bump type from changelog fragments
         id: bump_type
-        if: steps.release-token.outputs.enabled == 'true'
         run: rust-script scripts/get-bump-type.rs

       - name: Check if version already released or no fragments
         id: check
-        if: steps.release-token.outputs.enabled == 'true'
         env:
           HAS_FRAGMENTS: ${{ steps.bump_type.outputs.has_fragments }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: rust-script scripts/check-release-needed.rs

       - name: Collect changelog and bump version
         id: version
         if: steps.release-token.outputs.enabled == 'true' && steps.check.outputs.should_release == 'true' && steps.check.outputs.skip_bump != 'true'
         run: |
           rust-script scripts/version-and-commit.rs \
             --bump-type "${{ steps.bump_type.outputs.bump_type }}"

       - name: Get current version
         id: current_version
-        if: steps.release-token.outputs.enabled == 'true' && steps.check.outputs.should_release == 'true'
+        if: steps.check.outputs.should_release == 'true'
         run: rust-script scripts/get-version.rs

Also applies to: 362-362

🧰 Tools
🪛 zizmor (1.25.2)

[info] 354-354: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 338 - 358, Remove the cargo-token
gate from read-only state-detection steps so they always run; specifically,
delete the conditional "if: steps.release-token.outputs.enabled == 'true'" from
the step with id "check" (name "Check if version already released or no
fragments") and from the step with id "current_version" (name "Get current
version"), leaving the token-gated condition only on mutating steps like the
step with id "version" (name "Collect changelog and bump version") so that
check-release-needed (scripts/check-release-needed.rs) can populate
should_release and skip_bump even when the cargo token is absent.

run: rust-script scripts/get-version.rs

- name: Build release
if: steps.check.outputs.should_release == 'true'
if: steps.release-token.outputs.enabled == 'true' && steps.check.outputs.should_release == 'true'
run: cargo build --release

- name: Publish to Crates.io
Expand Down
Loading