sync-auth 0.3.0

Bidirectional auth credential sync for dev tools (Claude Code, GitHub CLI, GitLab CLI, Codex, Gemini CLI, and more) via Git repositories
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416

name: Rust CI/CD Pipeline

on:
  push:
    branches:
      - main
    paths:
      - 'rust/**'
      - 'scripts/**'
      - '.github/workflows/rust.yml'
  pull_request:
    types: [opened, synchronize, reopened]
    paths:
      - 'rust/**'
      - 'scripts/**'
      - '.github/workflows/rust.yml'
  workflow_dispatch:
    inputs:
      bump_type:
        description: 'Version bump type'
        required: true
        type: choice
        options:
          - patch
          - minor
          - major
      description:
        description: 'Release description (optional)'
        required: false
        type: string

concurrency:
  group: rust-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: -Dwarnings

defaults:
  run:
    working-directory: rust

jobs:
  # === DETECT CHANGES - determines which jobs should run ===
  detect-changes:
    name: Detect Changes
    runs-on: ubuntu-latest
    if: github.event_name != 'workflow_dispatch'
    outputs:
      rs-changed: ${{ steps.changes.outputs.rs-changed }}
      toml-changed: ${{ steps.changes.outputs.toml-changed }}
      mjs-changed: ${{ steps.changes.outputs.mjs-changed }}
      docs-changed: ${{ steps.changes.outputs.docs-changed }}
      workflow-changed: ${{ steps.changes.outputs.workflow-changed }}
      any-code-changed: ${{ steps.changes.outputs.any-code-changed }}
      rust-code-changed: ${{ steps.changes.outputs.rust-code-changed }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'

      - name: Detect changes
        id: changes
        working-directory: .
        env:
          GITHUB_EVENT_NAME: ${{ github.event_name }}
          GITHUB_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: node scripts/detect-code-changes.mjs

  # === CHANGELOG CHECK - only runs on PRs with code changes ===
  # Docs-only PRs (./docs folder, markdown files) don't require changelog fragments
  changelog:
    name: Changelog Fragment Check
    runs-on: ubuntu-latest
    needs: [detect-changes]
    if: github.event_name == 'pull_request' && needs.detect-changes.outputs.rust-code-changed == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Check for changelog fragments
        run: |
          # Get list of fragment files (excluding README and template)
          FRAGMENTS=$(find changelog.d -name "*.md" ! -name "README.md" 2>/dev/null | wc -l)

          # Get changed files in PR
          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)

          # Check if any source files changed (excluding docs and config)
          SOURCE_CHANGED=$(echo "$CHANGED_FILES" | grep -E "^rust/(src/|tests/|Cargo\.toml)" | wc -l)

          if [ "$SOURCE_CHANGED" -gt 0 ] && [ "$FRAGMENTS" -eq 0 ]; then
            echo "::warning::No changelog fragment found. Please add a changelog entry in rust/changelog.d/"
            echo ""
            echo "To create a changelog fragment:"
            echo "  Create a new .md file in rust/changelog.d/ with your changes"
            echo ""
            echo "See rust/changelog.d/README.md for more information."
            # Note: This is a warning, not a failure, to allow flexibility
            # Change 'exit 0' to 'exit 1' to make it required
            exit 0
          fi

          echo "Changelog check passed"

  # === LINT AND FORMAT CHECK ===
  # Lint runs independently of changelog check - it's a fast check that should always run
  # Note: always() is required because detect-changes is skipped on workflow_dispatch,
  # and without always(), this job would also be skipped even though its condition includes workflow_dispatch.
  # See: https://github.com/actions/runner/issues/491
  lint:
    name: Lint and Format Check
    runs-on: ubuntu-latest
    needs: [detect-changes]
    if: |
      always() && !cancelled() && (
        github.event_name == 'push' ||
        github.event_name == 'workflow_dispatch' ||
        needs.detect-changes.outputs.rs-changed == 'true' ||
        needs.detect-changes.outputs.toml-changed == 'true' ||
        needs.detect-changes.outputs.mjs-changed == 'true' ||
        needs.detect-changes.outputs.docs-changed == 'true' ||
        needs.detect-changes.outputs.workflow-changed == 'true'
      )
    steps:
      - uses: actions/checkout@v4

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt, clippy

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            rust/target
          key: ${{ runner.os }}-cargo-${{ hashFiles('rust/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-

      - name: Check formatting
        run: cargo fmt --all -- --check

      - name: Run Clippy
        run: cargo clippy --all-targets --all-features

      - name: Check file size limit
        working-directory: .
        run: node rust/scripts/check-file-size.mjs

  # === TEST ===
  # Test runs independently of changelog check
  test:
    name: Test (${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    needs: [detect-changes, changelog]
    # Run if: push event, OR changelog succeeded, OR changelog was skipped (docs-only PR)
    # Note: always() is required to evaluate the condition when dependencies are skipped.
    if: always() && !cancelled() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || needs.changelog.result == 'success' || needs.changelog.result == 'skipped')
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    steps:
      - uses: actions/checkout@v4

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            rust/target
          key: ${{ runner.os }}-cargo-${{ hashFiles('rust/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-

      - name: Run tests
        run: cargo test --all-features --verbose

      - name: Run doc tests
        run: cargo test --doc --verbose

  # === BUILD ===
  # Build package - only runs if lint and test pass
  build:
    name: Build Package
    runs-on: ubuntu-latest
    needs: [lint, test]
    # Note: always() ensures this job runs even when lint/test jobs use always().
    if: always() && !cancelled() && needs.lint.result == 'success' && needs.test.result == 'success'
    steps:
      - uses: actions/checkout@v4

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            rust/target
          key: ${{ runner.os }}-cargo-build-${{ hashFiles('rust/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-build-

      - name: Build release
        run: cargo build --release --verbose

      - name: Check package
        run: cargo package --list

  # === AUTO RELEASE ===
  # Automatic release on push to main using changelog fragments
  # This job automatically bumps version based on fragments in changelog.d/
  auto-release:
    name: Auto Release
    needs: [lint, test, build]
    # Note: always() is required to evaluate the condition when dependencies use always().
    # The build job ensures lint and test passed before this job runs.
    if: |
      always() && !cancelled() &&
      github.event_name == 'push' &&
      github.ref == 'refs/heads/main' &&
      needs.build.result == 'success'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'

      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Determine bump type from changelog fragments
        id: bump_type
        run: node scripts/get-bump-type.mjs

      - name: Check if version already released or no fragments
        id: check
        run: |
          CURRENT_VERSION=$(grep -Po '(?<=^version = ")[^"]*' Cargo.toml | head -1)
          CRATE_NAME=$(grep -Po '(?<=^name = ")[^"]*' Cargo.toml | head -1)

          # Check if version is published on crates.io (the source of truth for Rust packages)
          # Note: We check crates.io, not git tags, because git tags can exist without
          # the package being published (e.g., failed publish, GitHub-only releases)
          CRATES_IO_RESPONSE=$(curl -s "https://crates.io/api/v1/crates/${CRATE_NAME}/${CURRENT_VERSION}")
          VERSION_ON_CRATES_IO=false
          if echo "$CRATES_IO_RESPONSE" | grep -q '"version"'; then
            VERSION_ON_CRATES_IO=true
          fi

          echo "Crate: $CRATE_NAME, Version: $CURRENT_VERSION, Published on crates.io: $VERSION_ON_CRATES_IO"

          # Check if there are changelog fragments
          if [ "${{ steps.bump_type.outputs.has_fragments }}" != "true" ]; then
            # No fragments - check if current version is published on crates.io
            if [ "$VERSION_ON_CRATES_IO" = "true" ]; then
              echo "No changelog fragments and v$CURRENT_VERSION already published on crates.io"
              echo "should_release=false" >> $GITHUB_OUTPUT
            else
              echo "No changelog fragments but v$CURRENT_VERSION not yet published to crates.io"
              echo "should_release=true" >> $GITHUB_OUTPUT
              echo "skip_bump=true" >> $GITHUB_OUTPUT
            fi
          else
            echo "Found changelog fragments, proceeding with release"
            echo "should_release=true" >> $GITHUB_OUTPUT
            echo "skip_bump=false" >> $GITHUB_OUTPUT
          fi

      - name: Collect changelog and bump version
        id: version
        if: steps.check.outputs.should_release == 'true' && steps.check.outputs.skip_bump != 'true'
        run: |
          node scripts/version-and-commit.mjs \
            --bump-type "${{ steps.bump_type.outputs.bump_type }}"

      - name: Get current version
        id: current_version
        if: steps.check.outputs.should_release == 'true'
        run: |
          CURRENT_VERSION=$(grep -Po '(?<=^version = ")[^"]*' Cargo.toml)
          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT

      - name: Build release
        if: steps.check.outputs.should_release == 'true'
        run: cargo build --release

      - name: Publish to Crates.io
        if: steps.check.outputs.should_release == 'true'
        id: publish-crate
        env:
          # Note: Organization secret is named CARGO_TOKEN, we map it to CARGO_REGISTRY_TOKEN
          # which is the standard environment variable that Cargo uses for crates.io auth
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_TOKEN }}
        working-directory: .
        run: node rust/scripts/publish-crate.mjs

      - name: Create GitHub Release
        if: steps.check.outputs.should_release == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          node scripts/create-github-release.mjs \
            --release-version "${{ steps.current_version.outputs.version }}" \
            --repository "${{ github.repository }}"

  # === MANUAL RELEASE ===
  # Manual release via workflow_dispatch - only after CI passes
  manual-release:
    name: Manual Release
    needs: [lint, test, build]
    # Note: always() is required to evaluate the condition when dependencies use always().
    # The build job ensures lint and test passed before this job runs.
    if: |
      always() && !cancelled() &&
      github.event_name == 'workflow_dispatch' &&
      needs.build.result == 'success'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'

      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Collect changelog fragments
        run: |
          # Check if there are any fragments to collect
          FRAGMENTS=$(find changelog.d -name "*.md" ! -name "README.md" 2>/dev/null | wc -l)
          if [ "$FRAGMENTS" -gt 0 ]; then
            echo "Found $FRAGMENTS changelog fragment(s), collecting..."
            node scripts/collect-changelog.mjs
          else
            echo "No changelog fragments found, skipping collection"
          fi

      - name: Version and commit
        id: version
        run: |
          node scripts/version-and-commit.mjs \
            --bump-type "${{ github.event.inputs.bump_type }}" \
            --description "${{ github.event.inputs.description }}"

      - name: Build release
        if: steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true'
        run: cargo build --release

      - name: Publish to Crates.io
        if: steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true'
        id: publish-crate
        env:
          # Note: Organization secret is named CARGO_TOKEN, we map it to CARGO_REGISTRY_TOKEN
          # which is the standard environment variable that Cargo uses for crates.io auth
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_TOKEN }}
        working-directory: .
        run: node rust/scripts/publish-crate.mjs

      - name: Create GitHub Release
        if: steps.version.outputs.version_committed == 'true' || steps.version.outputs.already_released == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          node scripts/create-github-release.mjs \
            --release-version "${{ steps.version.outputs.new_version }}" \
            --repository "${{ github.repository }}"