ci(release): enforce Conventional Commits (R1b) + wire OIDC publish step (R7)#387
Merged
Conversation
R8 bootstrap (uffs-time + uffs-text v0.5.120) is done via a maintainer token, so trusted publishers can now be registered. Replace the commented-out placeholder in the crates-io-publish job with a real publish path: - Mint a short-lived crates.io token via rust-lang/crates-io-auth-action@bbd81622 (v1.0.4, SHA-pinned) -- no long-lived CARGO_REGISTRY_TOKEN secret is ever stored. - Publish the publishable set, dependency-ordered, derived from cargo metadata (publish != []) so it adapts as crates flip -- today exactly uffs-time + uffs-text (dependency-free leaves). Job stays dormant behind the ENABLE_CRATES_IO_PUBLISH repo-variable gate + the crates.io-publish environment; activation is R9. actionlint clean (incl. shellcheck of the run block).
…p + R7 wiring The plan (§R7, §5.6, §5.7 checklist, §R9, risk table) and the runbook named the OIDC environment 'crates-io-production', but the live release-plz.yml uses 'environment: crates.io-publish'. crates.io requires the registered trusted-publisher environment to match the workflow's environment value exactly, so the mismatch would have silently broken OIDC registration. Rename all references to crates.io-publish. Also bring the docs in line with the completed R8 bootstrap: - release-automation-plan.md: mark R8 complete (uffs-time + uffs-text v0.5.120 live via token), update R7 to 'wired, dormant', add a deviation-log row for the OIDC wire-up + env-name fix. - publishing.md: status banner (bootstrap done, automated publishing still dormant), repo-variable dormancy stack (replaces if:false), phase-status table, 2-crate publishable set (was a stale 12-crate list), and a filled-in OIDC configuration section with the correct environment name and revocation steps.
R1a landed advisory on 2026-04-25; after ~1.5 months of observation the project converged on the 11 standard Conventional Commits types (the security:/bench:/shmem: prefixes from the R1a baseline are gone -- security migrated to fix(security):/chore(security):). Pre-flip check: the trailing 80 first-parent merges on main are 100% conformant, so the gate flips with negligible false-positive risk. - commitlint.yml: exit 1 (was exit 0) on non-conforming titles; updated workflow name, header rationale, step-summary mode line, and the sticky-comment body to say REQUIRED. - Branch protection: added 'PR title -- Conventional Commits' to the main-protection ruleset's required_status_checks (id 11889528, strict policy) alongside 'PR Fast CI / required', so a non-conforming title now blocks merge. - release-automation-plan.md: R1b dashboard row -> complete with the verification numbers, enforcement detail, and the fork-PR caveat (skipped on forks; internal + Dependabot branches unaffected). actionlint clean.
githubrobbi
added a commit
that referenced
this pull request
Jun 11, 2026
…rigger (#389) Root cause of 'PR merged, nothing happened': the release-plz push trigger was commented out (workflow_dispatch-only) after the 2026-06-09 re-activation failed 4 consecutive runs, so the #387/#388 merges to main triggered no release-pr run at all. Those failures were structural, not transient: in git_only mode release-plz hardcodes 'cargo package --allow-dirty --workspace' inside the latest-tag worktree (verified with RUST_LOG=debug on 0.3.157), packaging ALL members regardless of release=false config. Never-publish crates with versioned internal deps (uffs-broker -> uffs-broker-protocol) can never resolve from the crates.io index; dropping the version instead fails with 'all dependencies must have a version requirement' -- both directions reproduced locally. Git-only mode can never work on this workspace, and the old 're-enable after the internal crates are published' condition was unsatisfiable (they are never-publish by design). Fix: git_only = false (registry baseline) -- the flip release-plz.toml's own R4 comment block planned for post-R8. With uffs-time + uffs-text v0.5.120 live on crates.io (R8 bootstrap), release-plz downloads the published .crate files as baseline and never invokes the worktree packaging step. Verified locally: 'release-plz update' downloads uffs-text 0.5.120, exits 0, and proposes bumps only when the published crates' files change. Also: re-enabled push: branches: [main]; rewrote the two stale deferral notices in the workflow header as historical records with the resolution trail; added the matching deviation row + R4 dashboard correction in release-automation-plan.md. actionlint clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two release-automation phases, both low-risk:
R1b — Conventional Commits mandatory gate
commitlint.yml:exit 1(wasexit 0) on non-conforming PR titles.PR title — Conventional Commitsadded to themain-protectionruleset's required status checks (strict policy).mainwere 100% conformant.R7 — OIDC trusted-publisher publish step (dormant)
crates-io-publishjob with a realrust-lang/crates-io-auth-action@v1.0.4(SHA-pinned) token mint + dependency-orderedcargo publishloop overcargo metadatapublishable crates (todayuffs-time+uffs-text).ENABLE_CRATES_IO_PUBLISHrepo-variable gate +crates.io-publishenvironment. No operational change until R9.Docs
crates-io-production→crates.io-publish, matching the live workflow).actionlint clean on both workflows.