feat(release): crates.io trusted publishing + toolchain SBOM (Phases 4+6)

[avrabe]

Summary

Closes Phases 4 (crates.io trusted publishing) and 6 (toolchain SBOM auto-emit) of synth's release roadmap, defined in docs/release-process.md. Together with PR #135 (Phase 5, sigil ELF signing) this completes the supply-chain evidence layers for synth — Phases 1-6 all implemented.

Phase 4 — crates.io trusted publishing

Publish set (11 crates) — synth-cli, synth-core, synth-frontend, synth-synthesis, synth-backend, synth-backend-{awsm,wasker,riscv}, synth-cfg, synth-opt, synth-verify.

publish = false (6 crates, kept private) — synth-analysis, synth-abi, synth-memory, synth-qemu, synth-test, synth-wit. None are on synth-cli's transitive face; promotion later is a one-line change.

Metadata — every publishable Cargo.toml has description, license, repository (already present), plus newly-added homepage.workspace, keywords.workspace, categories.workspace. Internal path = "..." deps on publishable crates now carry version = "0.6.0" so cargo publish rewrites to crates.io coordinates.

Versioning — workspace version bumped 0.1.0 → 0.6.0 (also MODULE.bazel). Convention going forward: bump pre-tag in lockstep with the release tag; the new workflow refuses to run if they disagree.

Workflow — .github/workflows/publish-to-crates-io.yml triggers on v* tag (parallel to release.yml); if: github.repository == 'pulseengine/synth'; permissions: id-token: write; uses rust-lang/crates-io-auth-action@v1 for OIDC. Dependency-order walk lives in scripts/publish.rs (rustc-compiled at workflow start, mirrors sigil's pattern) with a 10-attempt × 40s retry loop for index propagation. Injection-safe: inputs.tag bound via env: INPUT_TAG, dereferenced as $INPUT_TAG in shell.

Phase 6 — toolchain SBOM in release pipeline

Added two steps to the create-release job in .github/workflows/release.yml:

• cargo install --locked cargo-cyclonedx
• cargo cyclonedx --format json --spec-version 1.5 -p synth-cli → renamed to synth-v<VERSION>.cdx.json in release assets

Emitted before SHA256SUMS.txt, so its digest is in the manifest and the existing cosign keyless signature over SHA256SUMS.txt transitively covers it — no new signing step.

This is the complement to the per-compilation SBOM (synth compile --sbom, PR #129): that one documents what synth compiles; this one documents what synth is. Comparison table in docs/sbom.md.

Honest blocker — needs the maintainer (verified clean-room)

Per-crate trusted-publisher registration on crates.io. For each of the 11 publishable crates, the repo owner must visit https://crates.io/crates/<NAME>/settings → Trusted Publishing and register pulseengine/synth with workflow filename publish-to-crates-io.yml. For brand-new crates not yet on crates.io, a manual first publish is needed before the registration page exists. Documented in docs/release-process.md § "Phase 4 — user-side setup".

cargo publish --dry-run was blocked in the agent's sandbox; the workflow's ./publish verify step runs the full dry-run gate before any real publish.

Clean-room verification

A clean-room subagent independently verified the report: 15 of 16 claims CONFIRMED with file:line citations (including the publish set, the publish = false set, the workspace version bump, MODULE.bazel diff, per-crate metadata, path-dep versions, workflow injection-safety, scripts/publish.rs shape, SBOM-before-SHA256SUMS ordering, docs updates, both YAMLs parse, blocker documented). 1 CANNOT-VERIFY (historical CI run — structurally unverifiable).

Test plan

• CI green
• First v* tag push after this lands: watch the new Publish to crates.io workflow — will likely need workflow_dispatch re-runs as each crate is registered
• First release SBOM appears as synth-v0.6.0.cdx.json in the release assets

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!