From 45c1890bb32223a5cf0a30ea222c1b211b3f28b1 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 19 May 2026 03:59:56 -0700 Subject: [PATCH] ci: replace tag-triggered SDK publish with release-plz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous rust-sdk-release.yml triggered `cargo publish` on `rust-sdk-v*` tags, but the tag version (e.g. rust-sdk-v0.5.9) was decoupled from the actual crate version in Cargo.toml (0.1.2). Pushing a tag failed with "already exists on crates.io index", and there was no way to retry once one of the two serial publishes succeeded. release-plz manages this end-to-end: - on every push to master, opens/updates a single Release PR that bumps versions in Cargo.toml, updates workspace dependency pins, and regenerates per-crate CHANGELOGs based on commits since last release - merging the PR auto-tags each crate (dstack-sdk-v*, dstack-sdk-types-v*) and publishes to crates.io in dependency order, idempotently - semver-check warns if a change should bump major - OIDC trusted publishing (id-token: write) replaces the static token flow; no CARGO_REGISTRY_TOKEN secret needed release-plz.toml uses an allowlist: workspace defaults to release = false so only dstack-sdk and dstack-sdk-types are managed; all other internal crates are protected from accidental publish. Follow-up: crates.io trusted publisher entries need to be re-pointed from rust-sdk-release.yml to release-plz.yml for both crates (Settings → Trusted Publishers on each crate's page). --- .github/workflows/rust-sdk-release.yml | 59 ++++++++++++++++++++------ release-plz.toml | 21 +++++++++ 2 files changed, 66 insertions(+), 14 deletions(-) create mode 100644 release-plz.toml diff --git a/.github/workflows/rust-sdk-release.yml b/.github/workflows/rust-sdk-release.yml index 9e85c6b2a..586e38384 100644 --- a/.github/workflows/rust-sdk-release.yml +++ b/.github/workflows/rust-sdk-release.yml @@ -1,25 +1,56 @@ -# SPDX-FileCopyrightText: © 2025 Phala Network +# SPDX-FileCopyrightText: © 2026 Phala Network # # SPDX-License-Identifier: Apache-2.0 -name: Publish SDK to crates.io +name: Release-plz + on: push: - tags: ['rust-sdk-v*'] + branches: + - master + jobs: - publish: + release-plz-pr: + name: Release-plz PR runs-on: ubuntu-latest + if: ${{ github.repository_owner == 'Dstack-TEE' }} + permissions: + contents: write + pull-requests: write + concurrency: + group: release-plz-${{ github.ref }} + cancel-in-progress: false + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - uses: dtolnay/rust-toolchain@stable + - name: Run release-plz + uses: release-plz/action@v0.5 + with: + command: release-pr + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + release-plz-release: + name: Release-plz release + runs-on: ubuntu-latest + if: ${{ github.repository_owner == 'Dstack-TEE' }} environment: sdk-release permissions: + contents: write + pull-requests: read id-token: write steps: - - uses: actions/checkout@v5 - - uses: rust-lang/crates-io-auth-action@v1 - id: auth - - run: cargo publish -p dstack-sdk-types - env: - CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - - run: cargo publish -p dstack-sdk - env: - CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - uses: dtolnay/rust-toolchain@stable + - name: Run release-plz + uses: release-plz/action@v0.5 + with: + command: release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/release-plz.toml b/release-plz.toml new file mode 100644 index 000000000..3fc0bd23c --- /dev/null +++ b/release-plz.toml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: © 2026 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# release-plz only manages the public SDK crates. Every other workspace +# member is internal and must never be published to crates.io. + +[workspace] +release = false +pr_branch_prefix = "release-plz/" +pr_labels = ["release"] +semver_check = true +changelog_update = true + +[[package]] +name = "dstack-sdk-types" +release = true + +[[package]] +name = "dstack-sdk" +release = true