ci: add manual Publish crates workflow

[kdy1]

Summary

• add a new manual GitHub Actions workflow named Publish crates
• keep the existing auto workflow untouched
• run publish steps in fixed order: git pull -> cargo bump -> git push -> git push --tags

Details

• add .github/workflows/publish-crates-manual.yml
• trigger only via workflow_dispatch (no inputs)
• pin checkout to main with full history
• use SSH auth with SWC_BOT_SSH and force SSH remote URL before push
• set publish-bot git author/committer env vars for consistency

[changeset-bot]

⚠️ No Changeset found

Latest commit: 038375b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​terser@​3.12.0
	@​swc/​plugin-jest@​1.5.117
	@​taplo/​cli@​0.5.2
	@​babel/​preset-react@​7.22.3
	@​babel/​preset-typescript@​7.21.5
	babel-plugin-transform-node-env-inline@​0.4.3
	benchmark@​2.1.4
	copyfiles@​2.4.1
	@​babel/​plugin-proposal-decorators@​7.22.3
	@​babel/​preset-env@​7.22.2
	@​types/​jest@​29.5.11
	@​babel/​generator@​7.22.3
	@​typescript-eslint/​eslint-plugin@​6.21.0
	@​babel/​core@​7.22.1
	core-js-compat@​3.45.0
	@​types/​node@​20.12.12 ⏵ 20.14.2	+1		+1
	@​babel/​types@​7.22.3
	@​rstest/​core@​0.7.8
	@​octokit/​rest@​18.12.0
	cross-env@​7.0.3
	@​types/​node@​20.12.12 ⏵ 20.5.0	+1		+1
	@​napi-rs/​cli@​3.2.0
	@​ast-grep/​napi@​0.40.3
	@​octokit/​core@​5.2.0
	bootstrap@​5.2.3
	acorn@​8.8.2
	babel-plugin-polyfill-corejs3@​0.13.0
	@​actions/​core@​1.10.1
	class-validator@​0.14.2
	typescript@​5.5.4 ⏵ 4.9.5			+1
	prettier@​3.3.2
	@​antfu/​ni@​0.21.12
	lint-staged@​14.0.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: ? → npm/cipher-base@1.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cipher-base@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[claude]

PR Review: ci: add manual Publish crates workflow

Overview

This adds a workflow_dispatch-triggered workflow that runs cargo bump (aliased to swc-releaser bump), then pushes the resulting commit and tags. The releaser handles version bumping, changelog generation, committing, and tagging — so the publish script's git push steps make sense.

Issues

1. git-cliff is installed but never used
git-cliff@2.8.0 is installed (lines 51–53) but the publish script never invokes it. The changelog is generated internally by yarn changelog (called from swc-releaser bump). This adds unnecessary CI time. Consider removing it unless there's an intended future use.

2. Nightly toolchain may be unnecessary
The workflow pins nightly-2025-05-06, but cargo bump (swc-releaser) just runs cargo set-version, changeset processing, and git operations — none of which require nightly. The existing auto workflow (publish-crates.yml) uses profile: minimal without specifying a nightly channel. Unless the nightly is specifically needed for compiling swc-releaser, consider using stable to avoid fragility from nightly pinning.

3. Deprecated actions-rs/toolchain@v1
This action has been deprecated/archived for a while. The community standard replacement is dtolnay/rust-toolchain. The existing auto workflow also uses actions-rs/toolchain@v1, so this is a pre-existing issue — but a new workflow is a good opportunity to modernize.

4. cancel-in-progress: true is risky for a publish workflow
If someone accidentally triggers the workflow twice, the first run could be cancelled mid-way through — after cargo bump has committed but before git push, or after pushing the commit but before pushing tags. This could leave the repo in an inconsistent state. For a publish/release workflow, cancel-in-progress: false is safer.

5. No CARGO_REGISTRY_TOKEN / no actual cargo publish
The workflow name is "Publish crates" but it only bumps versions and pushes — it doesn't actually publish to crates.io. The existing auto workflow (publish-crates.yml) handles the actual cargo mono publish step, triggered by commits with a chore: Publish prefix. This means the manual workflow is a trigger for the auto workflow. This is fine architecturally, but the naming could be confusing. Consider renaming to something like "Bump crate versions" or adding a comment explaining the two-stage publish pipeline.

6. Missing permissions in the auto workflow
The new manual workflow correctly declares permissions: contents: write, but the existing auto workflow (publish-crates.yml) doesn't. This is tangential to this PR but worth noting.

7. No node-version or yarn setup visibility
The workflow uses ./.github/actions/setup-node — this is fine and consistent with the auto workflow. Just confirming it's needed here since swc-releaser bump calls yarn changelog.

Minor Nits

• The NODE_OPTIONS: --max-old-space-size=6144 env var is likely unnecessary for this workflow since it's not running heavy Node.js processes, but it's harmless and consistent with other workflows.
• No workflow_dispatch inputs (e.g., dry-run flag, version bump type) — this is noted in the PR description as intentional, but a dry-run input could be valuable for safety.

Summary

The core logic is sound — cargo bump (swc-releaser) handles the heavy lifting and the workflow correctly sets up SSH auth for pushing. The main concerns are: (1) the installed-but-unused git-cliff, (2) cancel-in-progress: true being risky for release workflows, and (3) the workflow name being potentially misleading since it doesn't actually publish to crates.io. None of these are blockers, but addressing them would improve robustness and clarity.

[Copilot]

Pull request overview

Adds a new manually triggered GitHub Actions workflow to run the crate version-bump + tagging flow on main, pushing the resulting commit and tags back to the repository (while keeping the existing auto publish workflow unchanged).

Changes:

• Introduce a new workflow_dispatch-only workflow named Publish crates.
• Configure the job to checkout main with full history, authenticate via SSH, run cargo bump, and push main + tags.
• Set consistent bot author/committer environment variables for generated commits.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

git push origin --tags will attempt to push all local tags (and the job is also vulnerable to being cancelled between the branch push and the tag push), which can cause surprising behavior or leave the run half-complete (commit pushed but tag not). Prefer a single push that includes only the tags created by cargo bump (e.g. push the specific tag(s) or use a follow-tags approach) so the operation is atomic and limited in scope.

Suggested change

	git push origin main
	git push origin --tags
	git push --atomic --follow-tags origin main

[Copilot]

The workflow sets permissions: contents: write, but all write operations are performed via SSH (not GITHUB_TOKEN) and no step appears to require write-scoped token permissions. Consider reducing this to contents: read (or removing the override) to follow least-privilege and reduce blast radius if a dependency/action is compromised.

Suggested change

	contents: write
	contents: read

[github-actions]

Binary Sizes

File	Size
swc.linux-x64-gnu.node	28M (29066056 bytes)

Commit: f6ac886

[codspeed-hq]

Merging this PR will not alter performance

✅ 219 untouched benchmarks

---

_{Comparing kdy1/publish-crates-manual-workflow (038375b) with main (71feafb)¹}

Footnotes

1. No successful run was found on main (7aa5094) during the generation of this report, so 71feafb was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩