1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Publish to crates.io
# Tag-driven release: pushing a version tag `vX.Y.Z` runs the gates, publishes to crates.io, and
# cuts a GitHub Release. A normal push to `main` runs the gates only (see ci.yml) — it does NOT
# publish. Mirrors the sibling DIG crates (dig-constants / dig-keystore) so the same org secrets
# apply. NOTE: the published build depends on the crates.io `dig-constants` (>=0.2 — the version that
# introduced DIG_RELAY_URL); dig-constants 0.2.x must be published BEFORE dig-nat, or the publish
# step (correctly) fails on the unresolved dependency. The orchestrator sequences the release tags.
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g., v0.1.0)'
required: true
type: string
permissions:
contents: write
env:
CARGO_TERM_COLOR: always
jobs:
# No fmt/clippy/test/coverage re-run here (#488): the PR that produced this tagged commit already
# went through ci.yml's full gate set (fmt, clippy, nextest+coverage>=80%, build, docs) before it
# was allowed to merge — re-running the full suite on tag push only re-tests the same tree and
# delays the release. This workflow is build + package + publish only.
publish:
name: Publish to crates.io
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Verify the package builds
run: cargo build --release
- name: Verify the package can be packaged
run: cargo package --locked
- name: Check CARGO_REGISTRY_TOKEN is set
run: |
if [ -z "${{ secrets.CARGO_REGISTRY_TOKEN }}" ]; then
echo "CARGO_REGISTRY_TOKEN secret is not set in repository settings"
exit 1
fi
- name: Publish to crates.io
run: cargo publish --locked --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
create-release:
name: Create GitHub Release
runs-on: ubuntu-latest
needs: publish
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Extract version from tag
id: extract_version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: "dig-nat v${{ steps.extract_version.outputs.VERSION }}"
body: |
## dig-nat v${{ steps.extract_version.outputs.VERSION }}
Abstract NAT traversal for DIG Node peer connections — one `connect(peer)` API over
direct / UPnP / NAT-PMP / PCP / relay-coordinated hole-punch / relayed transport, with an
mTLS peer connection (`peer_id = SHA-256(TLS SPKI DER)`) and multiplexed, byte-range
streaming for multi-source download.
### Installation
```toml
[dependencies]
dig-nat = "${{ steps.extract_version.outputs.VERSION }}"
```
draft: false
prerelease: false