1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: release-plz
on:
push:
branches:
- master
permissions:
# Needed for release-plz to open / update the release PR and to create
# GitHub Releases.
contents: write
pull-requests: write
# Needed for crates.io trusted publishing (OIDC); release-plz exchanges
# this for a short-lived registry token instead of using a long-lived
# CARGO_REGISTRY_TOKEN secret.
id-token: write
# Don't run two release-plz jobs in parallel.
concurrency:
group: release-plz-${{ github.ref }}
cancel-in-progress: false
jobs:
release-plz-release:
name: release-plz release
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Run release-plz
id: release-plz
uses: release-plz/action@v0.5
with:
command: release
env:
# Use a PAT (RELEASE_PLZ_TOKEN) rather than the default
# GITHUB_TOKEN so the GitHub Release / tag is created by a real
# identity. GitHub suppresses downstream workflow triggers for
# GITHUB_TOKEN-originated events (anti-recursion); a PAT does not,
# so the `release: published` event fires natively and
# release-binaries.yml runs on its own — no explicit dispatch
# needed. (crates.io publishing still uses OIDC, above.)
GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
release-plz-pr:
name: release-plz PR
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Run release-plz
uses: release-plz/action@v0.5
with:
command: release-pr
env:
# PAT so the opened/updated release PR triggers CI (a PR opened
# with the default GITHUB_TOKEN does not fire `pull_request`
# workflows).
GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}