1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Release
on:
push:
tags:
# Stable: v1.2.3
- 'v[0-9]+.[0-9]+.[0-9]+'
# Pre-release: v1.2.3-rc.1, v1.2.3-beta.2, v1.2.3-alpha.5
- 'v[0-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+'
jobs:
release:
name: Create GitHub Release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect prerelease
id: prerelease
run: |
TAG="${GITHUB_REF_NAME}"
if [[ "$TAG" =~ -(rc|beta|alpha)\. ]]; then
echo "value=true" >> $GITHUB_OUTPUT
else
echo "value=false" >> $GITHUB_OUTPUT
fi
- name: Extract changelog for this version
id: changelog
run: |
TAG="${GITHUB_REF_NAME#v}"
NOTES=$(awk "/^## \[${TAG}\]/{found=1; next} found && /^## \[/{exit} found{print}" CHANGELOG.md)
echo "notes<<EOF" >> $GITHUB_OUTPUT
echo "$NOTES" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
name: "Torii ${{ github.ref_name }}"
body: ${{ steps.changelog.outputs.notes }}
draft: false
prerelease: ${{ steps.prerelease.outputs.value }}
publish-crates:
name: Publish to crates.io
runs-on: ubuntu-latest
permissions:
id-token: write # required for the OIDC auth path
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust
# Pinned to 1.94.0 to avoid rustc 1.95.0's ICE in mono-item
# partitioning that the russh→rsa-rc→crypto-bigint-rc chain
# triggers. Keep in sync with `rust-toolchain.toml`.
# TODO: revert to @stable once a fixed stable rustc lands.
uses: dtolnay/rust-toolchain@1.94.0
# Auth chain (try OIDC first, fall back to a stored PAT):
#
# 1. Trusted Publisher / OIDC via rust-lang/crates-io-auth-action.
# Sets CARGO_REGISTRY_TOKEN in the job env when crates.io
# recognises this repo+workflow as a trusted publisher.
# Configure at:
# https://crates.io/me → Trusted Publishers
# Repository: PaskiDev/gitorii
# Workflow filename: release.yml
# `continue-on-error: true` so the job survives when OIDC
# isn't (yet) configured and we can fall back to the secret.
#
# 2. Repository secret CARGO_REGISTRY_TOKEN as fallback.
# Set under Settings → Secrets and variables → Actions.
# Used automatically by `cargo publish` when present in env.
- name: Authenticate via OIDC (optional)
id: oidc
uses: rust-lang/crates-io-auth-action@v1
continue-on-error: true
- name: Publish to crates.io
# --locked respects the committed Cargo.lock so the verify-build
# uses the exact dep graph that compiled locally. Extra stack
# and reduced parallelism mirror the README "Known issue"
# workarounds for the codegen-pressure path.
run: cargo publish --locked
env:
# OIDC action exports CARGO_REGISTRY_TOKEN itself when it
# succeeds; this line keeps the secret fallback live for jobs
# where OIDC failed or isn't configured. `||` here is GitHub
# Actions' literal-OR, which yields the secret when the env
# var is empty/unset.
CARGO_REGISTRY_TOKEN: ${{ env.CARGO_REGISTRY_TOKEN || secrets.CARGO_REGISTRY_TOKEN }}
RUST_MIN_STACK: "16777216"
CARGO_BUILD_JOBS: "2"