dig-nat 0.4.0

Abstract NAT traversal for DIG Node peer connections — one connect() API over direct, UPnP/IGD, NAT-PMP, PCP, relay-coordinated hole-punch, and relay.dig.net as last-resort fallback; establishes an mTLS peer connection with peer_id = SHA256(TLS SPKI DER).
Documentation
name: Publish to crates.io

# Tag-driven release: pushing a version tag `vX.Y.Z` runs the gates, publishes to crates.io, and
# cuts a GitHub Release. A normal push to `main` runs the gates only (see ci.yml) — it does NOT
# publish. Mirrors the sibling DIG crates (dig-constants / dig-keystore) so the same org secrets
# apply. NOTE: the published build depends on the crates.io `dig-constants` (>=0.2 — the version that
# introduced DIG_RELAY_URL); dig-constants 0.2.x must be published BEFORE dig-nat, or the publish
# step (correctly) fails on the unresolved dependency. The orchestrator sequences the release tags.

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:
    inputs:
      version:
        description: 'Version to publish (e.g., v0.1.0)'
        required: true
        type: string

permissions:
  contents: write

env:
  CARGO_TERM_COLOR: always

jobs:
  # No fmt/clippy/test/coverage re-run here (#488): the PR that produced this tagged commit already
  # went through ci.yml's full gate set (fmt, clippy, nextest+coverage>=80%, build, docs) before it
  # was allowed to merge — re-running the full suite on tag push only re-tests the same tree and
  # delays the release. This workflow is build + package + publish only.
  publish:
    name: Publish to crates.io
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          toolchain: stable

      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2

      - name: Verify the package builds
        run: cargo build --release

      - name: Verify the package can be packaged
        run: cargo package --locked

      - name: Check CARGO_REGISTRY_TOKEN is set
        run: |
          if [ -z "${{ secrets.CARGO_REGISTRY_TOKEN }}" ]; then
            echo "CARGO_REGISTRY_TOKEN secret is not set in repository settings"
            exit 1
          fi

      - name: Publish to crates.io
        run: cargo publish --locked --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
        env:
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

  create-release:
    name: Create GitHub Release
    runs-on: ubuntu-latest
    needs: publish
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Extract version from tag
        id: extract_version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref_name }}
          name: "dig-nat v${{ steps.extract_version.outputs.VERSION }}"
          body: |
            ## dig-nat v${{ steps.extract_version.outputs.VERSION }}

            Abstract NAT traversal for DIG Node peer connections — one `connect(peer)` API over
            direct / UPnP / NAT-PMP / PCP / relay-coordinated hole-punch / relayed transport, with an
            mTLS peer connection (`peer_id = SHA-256(TLS SPKI DER)`) and multiplexed, byte-range
            streaming for multi-source download.

            ### Installation
            ```toml
            [dependencies]
            dig-nat = "${{ steps.extract_version.outputs.VERSION }}"
            ```
          draft: false
          prerelease: false