cargo-rail: implement release preparation infrastructure; Integrate cargo-semver-checks for API breaking change detection; Parallelize commit analysis with rayon; Add release prepare command with version bumping and changelog generation. added the CI/CD workflows, actions, and scripts/ dir.

Author: loadingalias

.config/nextest.toml

@@ -6,3 +6,15 @@ fail-fast = false
 test-threads = "num-cpus"
 slow-timeout = { period = "30s", terminate-after = 4 }
 retries = 0
+
+[profile.commit]
+status-level = "fail"
+success-output = "never"
+failure-output = "immediate-final"
+fail-fast = false
+test-threads = "num-cpus"
+slow-timeout = { period = "60s", terminate-after = 4 }
+retries = { backoff = "exponential", count = 2, delay = "1s", jitter = true }
+
+[profile.commit.junit]
+path = "junit.xml"

.github/actions-lock.yaml

@@ -0,0 +1,58 @@
+# GitHub Actions Version Lock File
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Single source of truth for all GitHub Actions used in workflows.
+# Managed by Dependabot - DO NOT EDIT MANUALLY UNLESS ADDING NEW ACTIONS.
+#
+# Usage:
+#   1. Add new actions here first with desired semantic version
+#   2. Run: just pin-actions (generates SHA-pinned workflows)
+#   3. Dependabot automatically updates SHAs when new versions release
+#
+# Format:
+#   <action-name>:
+#     ref: <semantic-version>  # What we want (Dependabot monitors this)
+#     sha: <commit-sha>         # Immutable pin (generated)
+#     updated: <ISO-8601>       # Last verification timestamp
+#
+# Security Note:
+#   Workflows use SHA-pinned format: uses: actions/checkout@abc123...  # v4.1.7
+#   Dependabot reads the comment (# v4.1.7) and updates the SHA when new versions release.
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Official GitHub Actions
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+actions/checkout:
+  ref: v5.0.0
+  sha: "08c6903cd8c0fde910a37f88322edcfb5dd907a8"
+  updated: "2025-01-11T00:00:00Z"
+  notes: "Repository checkout - used in every workflow"
+
+actions/upload-artifact:
+  ref: v5.0.0
+  sha: "330a01c490aca151604b8cf639adc76d48f6c5d4"
+  updated: "2025-01-11T00:00:00Z"
+  notes: "Upload build artifacts and test results"
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Rust Toolchain & Ecosystem
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+dtolnay/rust-toolchain:
+  ref: master
+  sha: "6d653acede28d24f02e3cd41383119e8b1b35921"
+  updated: "2025-01-11T00:00:00Z"
+  notes: "Rust toolchain installation - always tracks latest nightly"
+
+taiki-e/install-action:
+  ref: v2
+  sha: "6f9c7cc51aa54b13cbcbd12f8bbf69d8ba405b4b"
+  updated: "2025-01-11T00:00:00Z"
+  notes: "Install cargo tools (nextest, just, deny, audit)"
+
+Swatinem/rust-cache:
+  ref: v2.8.1
+  sha: "f13886b937689c021905a6b90929199931d60db1"
+  updated: "2025-01-11T00:00:00Z"
+  notes: "GitHub runner Rust cache"

.github/actions/setup/action.yaml

@@ -0,0 +1,66 @@
+name: Setup cargo-rail Environment
+description: |
+  Install Rust toolchain, cargo tools, and configure caching.
+  All actions skip if already installed.
+
+inputs:
+  cache-key:
+    description: Additional cache key suffix
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    # Install cargo tools FIRST, before Rust toolchain installation
+    # This prevents Windows issues where massive toolchain updates interfere with cargo bin directory
+    - name: Install just
+      uses: taiki-e/install-action@6f9c7cc51aa54b13cbcbd12f8bbf69d8ba405b4b  # v2
+      with:
+        tool: just
+
+    - name: Install cargo-nextest
+      uses: taiki-e/install-action@6f9c7cc51aa54b13cbcbd12f8bbf69d8ba405b4b  # v2
+      with:
+        tool: cargo-nextest
+
+    - name: Install cargo-deny
+      uses: taiki-e/install-action@6f9c7cc51aa54b13cbcbd12f8bbf69d8ba405b4b  # v2
+      with:
+        tool: cargo-deny
+
+    - name: Install cargo-audit
+      uses: taiki-e/install-action@6f9c7cc51aa54b13cbcbd12f8bbf69d8ba405b4b  # v2
+      with:
+        tool: cargo-audit
+
+    - name: Install Rust Nightly Toolchain
+      uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921  # master
+      with:
+        toolchain: nightly
+        components: clippy, rustfmt
+
+    - name: Setup Rust Cache
+      uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1  # v2.8.1
+      with:
+        # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+        # Cache Strategy:
+        # - Caches: ~/.cargo (deps, tools) and ./target (build artifacts)
+        # - Cache key includes: workflow, platform, rustc version, Cargo.lock hash
+        # - Host triple automatically included in cache key
+        # - Separate caches per workflow and target triple via 'key' input
+        # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+        # Shared prefix: stable across commits (invalidates on bump)
+        shared-key: "cargo-rail-v1"
+
+        # Workflow and platform-specific suffix: commit-ubuntu-latest, commit-macos-latest, etc.
+        # Ensures each workflow and platform maintains separate cache
+        key: ${{ inputs.cache-key }}
+
+        # Cache even on test failures (build artifacts still useful)
+        cache-on-failure: true
+
+        # Only save from main branch (prevents cache thrashing)
+        # Feature branches READ from main's cache but don't WRITE new ones
+        save-if: ${{ github.ref == 'refs/heads/main' }}

.github/dependabot.yaml

@@ -0,0 +1,74 @@
+version: 2
+updates:
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Rust Dependencies (Cargo)
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  # Daily patch/minor updates; grouped and auto-merged.
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "06:00"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 10
+    rebase-strategy: "auto"
+
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+    groups:
+      rust-patch-updates:
+        patterns: ["*"]
+        update-types: ["patch"]
+      rust-minor-updates:
+        patterns: ["*"]
+        update-types: ["minor"]
+
+  # Weekly major updates; ungrouped for easier review.
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "06:00"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 5
+    rebase-strategy: "auto"
+
+    # Only include major updates
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # GitHub Actions (Security-Critical: SHA-Pinned)
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Dependabot understands SHA-pinned actions when formatted as:
+  #   uses: actions/checkout@abc123...  # v4.1.7
+  #
+  # It will:
+  #   1. Monitor the semantic version in the comment
+  #   2. Update the SHA when new versions release
+  #   3. Preserve the SHA-pinned format for security
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/New_York"
+    open-pull-requests-limit: 10
+    rebase-strategy: "auto"
+
+    # Group all GitHub Actions updates to reduce PR noise
+    groups:
+      github-actions:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+    # Note: Major version updates are NOT grouped
+    # These require manual review due to potential breaking changes

.github/workflows/commit.yaml

@@ -0,0 +1,75 @@
+name: Commit
+
+on:
+  push:
+    branches:
+      - "**"
+
+  # Allow manual trigger
+  workflow_dispatch:
+
+# Cancel in-progress runs for the same branch
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  RUST_BACKTRACE: 1
+  CARGO_TERM_COLOR: always
+  CARGO_RAIL_TEST_MODE: commit
+  CARGO_INCREMENTAL: 0
+
+# Lock down permissions to read-only by default
+permissions:
+  contents: read
+
+jobs:
+  ci:
+    name: CI (${{ matrix.target.name }})
+    runs-on: ${{ matrix.target.runner }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: true
+      matrix:
+        target:
+          # Linux x86-64 (GitHub Free)
+          - name: x86_64-unknown-linux-gnu
+            runner: ubuntu-latest
+            cache-key: commit-linux-x64
+
+          # Linux ARM64 (GitHub Pro)
+          - name: aarch64-unknown-linux-gnu
+            runner: ubuntu-24.04-arm
+            cache-key: commit-linux-arm64
+
+          # Windows x86-64 (GitHub Free)
+          - name: x86_64-pc-windows-msvc
+            runner: windows-latest
+            cache-key: commit-windows-x64
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Setup
+        uses: ./.github/actions/setup
+        with:
+          cache-key: ${{ matrix.target.cache-key }}
+
+      - name: Quality Checks
+        run: just ci-check
+
+      - name: Build
+        run: just build
+
+      - name: Tests
+        run: just test
+
+      - name: Upload Test Results (on failure)
+        if: failure()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        with:
+          name: test-results-${{ matrix.target.name }}
+          path: target/nextest/
+          retention-days: 7
+          if-no-files-found: ignore