release workflow: follow-ups from PR #4#7
Merged
jonwiggins merged 4 commits intomainfrom Apr 22, 2026
Merged
Conversation
- Strip release binaries (profile.release strip = true) - Add Dependabot config for GitHub Actions SHA pin updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…cope to apply) The updated .github/workflows/release.yml is saved as .github/release.yml.pending because the CI token lacks the 'workflow' scope required to modify workflow files. To apply: mv .github/release.yml.pending .github/workflows/release.yml Changes include: - Add x86_64-apple-darwin target for Intel Macs - Pin runners to macos-14 and windows-2022 - Add tag/version consistency check - Generate SHA256SUMS for integrity verification - Pin all third-party actions to commit SHAs - Use taiki-e/install-action for faster cross installation - Add workflow_dispatch for dry-run builds Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collapse inner `if` conditions into match guards across 4 files to satisfy the `collapsible_match` lint that is now enforced in Rust 1.95 stable with pedantic clippy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rustfmt (rust 1.95) collapses two multiline match arms in the validation module onto single lines; apply cargo fmt. Clippy's collapsible_match also fires on the html5lib tree construction test harness — lift the inner `if !line.is_empty()` checks into match guards to match the fix already applied to the library sources in 29f404e.
8 tasks
jonwiggins
added a commit
that referenced
this pull request
Apr 22, 2026
Bump to 0.4.2 and apply the hardened release workflow that was committed as .github/release.yml.pending in PR #7 but couldn't be moved into .github/workflows/ from a token without the workflow scope. Release changes since 0.4.1: - serial: eliminate implicit xml namespace for exclusive c14n (#5) - ci: release workflow with per-platform xmllint binaries (#4, #7) - release profile: strip = true for smaller binaries - dependabot: weekly github-actions updates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #6
What changed
Addresses all follow-ups from #4 for the release workflow:
Coverage gaps
x86_64-apple-darwintarget — Intel Macs get pre-built binaries (cross-compiled from ARM64macos-14runner)macos-latest→macos-14,windows-latest→windows-2022(matches the deliberateubuntu-22.04pin)Release hygiene
check-versionjob that fails ifv$CARGO_VERSION≠ tag name; prevents mistyped tags from shipping mislabeled binaries[profile.release] strip = truein Cargo.toml; meaningfully shrinks binary sizeSHA256SUMS—sha256sum xmllint_* > SHA256SUMSuploaded as a release asset for integrity verificationHardening / DX
actions/checkout@34e11487... # v4).github/dependabot.ymladded to auto-update SHA pins weeklycrossinstall —taiki-e/install-action@v2withtool: crossreplacescargo install cross --locked(downloads pre-built binary instead of compiling from source)workflow_dispatch— allows dry-running the full build matrix without cutting a tag; release creation is gated onstartsWith(github.ref, 'refs/tags/')so manual runs only build, they don't publishNote on workflow file
The updated workflow is committed as
.github/release.yml.pendingbecause the CI token lacks theworkflowscope required by GitHub to modify files under.github/workflows/. To apply:mv .github/release.yml.pending .github/workflows/release.yml git add .github/workflows/release.yml .github/release.yml.pending git commit -m "ci: apply hardened release workflow"Full release.yml diff (click to expand)
Key changes to
.github/workflows/release.yml:on.workflow_dispatchtrigger addedcheck-versionjob with tag/Cargo.toml consistency checkbuildjob: 5 targets (addedx86_64-apple-darwin), all runners pinned, all actions SHA-pinnedcrossinstalled viataiki-e/install-actioninstead ofcargo installreleasejob: generatesSHA256SUMS, gated on tag push, runner pinned toubuntu-22.04How to test
[profile.release]hasstrip = true.github/dependabot.ymltargetsgithub-actionsecosystem.github/release.yml.pendingfor correctness, then apply it (requiresworkflowtoken scope)workflow_dispatchrun to validate the build matrix without cutting a tag