Re-port release workflow changes

featherbread · featherbread · commit 40fabb357de5 · 2025-02-21T19:24:28.000-08:00
Now, I have a better mechanism to test the workflow. I've also finally
set up a GPG key and added it as a secret to the repo, so we can test
signing.
diff --git a/.github/workflows/build-release-archives.yml b/.github/workflows/build-release-archives.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  CARGO_ABOUT_VERSION: '0.6.6'
 
 jobs:
   build-doc:
@@ -16,10 +17,10 @@ jobs:
       uses: actions/checkout@v4
     - name: Install cargo-about
       run: |
-        version=0.6.6
-        slug=cargo-about-$version-x86_64-unknown-linux-musl
-        wget https://github.com/EmbarkStudios/cargo-about/releases/download/$version/$slug.tar.gz
-        tar -xvf $slug.tar.gz --strip-components=1 $slug/cargo-about
+        version="$CARGO_ABOUT_VERSION"
+        slug="cargo-about-$version-x86_64-unknown-linux-musl"
+        wget "https://github.com/EmbarkStudios/cargo-about/releases/download/$version/$slug.tar.gz"
+        tar -xvf "$slug.tar.gz" --strip-components=1 $slug/cargo-about
         mv cargo-about "$HOME/.cargo/bin/"
     - name: Generate LICENSES.html
       run: make doc/LICENSES.html
diff --git a/.github/workflows/deep-tests.yml b/.github/workflows/deep-tests.yml
@@ -8,6 +8,7 @@ on:
 env:
   CARGO_TERM_COLOR: always
   CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
+  NEXTEST_VERSION: '0.9'
 
 jobs:
   cargo-publish-dry-run:
@@ -24,12 +25,31 @@ jobs:
     - name: Try Publishing
       run: cargo publish --dry-run
 
+  read-msrv:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Read MSRV
+      id: read-msrv
+      run: |
+        msrv="$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].rust_version')"
+        echo "msrv=$msrv" >> "$GITHUB_OUTPUT"
+    outputs:
+      msrv: ${{ steps.read-msrv.outputs.msrv }}
+
   stable-msrv-test:
+    needs: read-msrv
     strategy:
       fail-fast: false
       matrix:
-        runner: [ubuntu-24.04, macos-14, windows-2022]
-        toolchain: [stable, '1.70.0']
+        runner:
+        - ubuntu-24.04
+        - macos-14
+        - windows-2022
+        toolchain:
+        - stable
+        - ${{ needs.read-msrv.outputs.msrv }}
     runs-on: ${{ matrix.runner }}
     steps:
     - name: Checkout
@@ -57,6 +77,6 @@ jobs:
         rustup default nightly
         rustc --version
     - name: Download Nextest
-      run: curl -LsSf https://get.nexte.st/0.9/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
+      run: curl -LsSf "https://get.nexte.st/$NEXTEST_VERSION/linux" | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin
     - name: Test in Miri
       run: cargo miri nextest run -j num-cpus
diff --git a/.github/workflows/main-tests.yml b/.github/workflows/main-tests.yml
@@ -35,9 +35,10 @@ jobs:
       uses: actions/checkout@v4
     - name: Download Toolchain
       run: |
+        msrv="$(cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].rust_version')"
         rustup set profile minimal
-        rustup toolchain install 1.70.0
-        rustup default 1.70.0
+        rustup toolchain install "$msrv"
+        rustup default "$msrv"
         rustc --version
     - name: Check
       run: cargo check
diff --git a/.github/workflows/release-process.yml b/.github/workflows/release-process.yml
@@ -3,7 +3,9 @@ name: Release Process
 
 on:
   push:
-    branches: [start-release]
+    branches:
+    - start-release
+    - check-release
 
 env:
   CARGO_TERM_COLOR: always
@@ -56,76 +58,90 @@ jobs:
     permissions:
       contents: write
 
-  # merge-release:
-  #   needs:
-  #   - check-release-branch
-  #   - run-deep-tests
-  #   - build-archives
-  #   runs-on: ubuntu-24.04
-  #   permissions:
-  #     contents: write
-  #   steps:
-  #   - name: Checkout
-  #     uses: actions/checkout@v4
-  #     with:
-  #       filter: blob:none
-  #       fetch-depth: 0
-  #   - name: Import Signing Key
-  #     run: gpg --batch --import <<< "$GPG_PRIVATE_KEY"
-  #     env:
-  #       GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-  #   - name: Merge Release
-  #     run: |
-  #       set -x
-
-  #       release_branch="${{ needs.check-release-branch.outputs.release_branch }}"
-  #       release_tag="${{ needs.check-release-branch.outputs.release_tag }}"
-  #       gpg_key_id="${{ vars.GPG_KEY_ID }}"
-
-  #       git config --global user.name "github-actions[bot]"
-  #       git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-  #       git tag -asu "$gpg_key_id" -m "$release_tag" "$release_tag"
-
-  #       git checkout main
-  #       git merge --ff-only "$release_branch"
-
-  #       git push origin main "$release_tag" :"$release_branch"
-
-  # create-github-release:
-  #   needs:
-  #   - check-release-branch
-  #   - build-archives
-  #   - merge-release
-  #   runs-on: ubuntu-24.04
-  #   permissions:
-  #     contents: write
-  #   steps:
-  #   - name: Download Artifacts
-  #     uses: actions/download-artifact@v4
-  #     with:
-  #       name: release
-  #   - name: List Artifacts
-  #     run: ls -lR
-  #   - name: Create Release
-  #     uses: softprops/action-gh-release@v2
-  #     with:
-  #       tag_name: ${{ needs.check-release-branch.outputs.release_tag }}
-  #       files: |
-  #         xt-*.tar.gz
-  #         SHA256SUMS
-  #       body: >-
-  #         **[See the xt CHANGELOG][changelog] for release information.**
-
-
-  #         Binary releases of xt are available for Linux and macOS as
-  #         attachments to this GitHub Release. They are statically linked (on
-  #         Linux), or link only to the platform's standard libraries (on macOS).
-  #         Before using them, review the [Installation][install] section of the
-  #         xt README. Your platform may support a more robust installation
-  #         mechanism.
-
-
-  #         [changelog]: https://github.com/ahamlinman/xt/blob/main/CHANGELOG.md
-
-  #         [install]: https://github.com/ahamlinman/xt?tab=readme-ov-file#installation
+  merge-release:
+    needs:
+    - check-release-branch
+    - run-deep-tests
+    - build-archives
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    env:
+      RELEASE_BRANCH: ${{ needs.check-release-branch.outputs.release_branch }}
+      RELEASE_TAG: ${{ needs.check-release-branch.outputs.release_tag }}
+      GPG_KEY_ID: ${{ vars.GPG_KEY_ID }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        filter: blob:none
+        fetch-depth: 0
+    - name: Import Signing Key
+      run: gpg --batch --import <<< "$GPG_PRIVATE_KEY"
+      env:
+        GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+    - name: Merge Release
+      run: |
+        set -x
+
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+        git tag -asu "$GPG_KEY_ID" -m "$RELEASE_TAG" "$RELEASE_TAG"
+
+        git checkout main
+        git merge --ff-only "$RELEASE_BRANCH"
+
+    # So far, none of the intermediate state of the release should be exposed
+    # outside of the GitHub workflow.
+    #
+    # THIS STEP IS THE POINT OF NO RETURN.
+    # IT IS THE ATOMIC MOMENT AT WHICH THE RELEASE OCCURS AND CANNOT BE REVOKED.
+    #
+    # Any failures after this point MUST be possible to recover from manually.
+    # For example, the GitHub release can be cut by hand using archives uploaded
+    # to the workflow run, and the crate can be published from a local checkout
+    # of the tag.
+    - name: Push Release
+      if: ${{ github.ref == 'refs/heads/start-release' }}
+      run: |
+        git push --atomic origin main "$RELEASE_TAG" :"$RELEASE_BRANCH"
+
+  create-github-release:
+    if: ${{ github.ref == 'refs/heads/start-release' }}
+    needs:
+    - check-release-branch
+    - build-archives
+    - merge-release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+    - name: Download Artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: release
+    - name: List Artifacts
+      run: ls -lR
+    - name: Create Release
+      uses: softprops/action-gh-release@v2
+      with:
+        tag_name: ${{ needs.check-release-branch.outputs.release_tag }}
+        files: |
+          xt-*.tar.gz
+          SHA256SUMS
+        body: >-
+          **[See the xt CHANGELOG][changelog] for release information.**
+
+
+          Binary releases of xt are available for Linux and macOS as
+          attachments to this GitHub Release. They are statically linked (on
+          Linux), or link only to the platform's standard libraries (on macOS).
+          Before using them, review the [Installation][install] section of the
+          xt README. Your platform may support a more robust installation
+          mechanism.
+
+
+          [changelog]: https://github.com/ahamlinman/xt/blob/main/CHANGELOG.md
+
+          [install]: https://github.com/ahamlinman/xt?tab=readme-ov-file#installation
