refactor crates.io

[rymcol]

No description provided.

[Evalir]

Overview

Solid refactor: adds package, dry-run, requires-private-deps, require-lockfile inputs, declares secrets explicitly, tightens permissions: {}, sets persist-credentials: false, and replaces cargo build --release + cargo package --allow-dirty + cargo publish with a single cargo publish (which does both internally). Docs and example are updated. Net positive.

Issues

1. ssh-agent version regression (please fix)

.github/workflows/release-crates.yml uses webfactory/ssh-agent@v0.9.1. Every other workflow in this repo (rust-base.yml, ecr-build-and-push.yml) uses @v0.10.0 — bumped repo-wide in commit a27dbc2. Bump this one to @v0.10.0 for consistency.

2. examples/example-cargo-publish.yml is now broken and redundant

The existing examples/example-cargo-publish.yml calls release-crates.yml with binary-name: 'my-binary', which is not (and never was) an input on that workflow — it looks like it was copy-pasted from release-rust-bin.yml. This PR adds the proper examples/example-release-crates.yml, so the stale broken one should be deleted in this PR to avoid confusion.

3. Caller-level contents: write in the example is misleading

examples/example-release-crates.yml:

permissions:
  contents: write

The reusable workflow declares permissions: {}, and a pure crates.io publish doesn't need contents: write. Either drop the block or set it to permissions: {} so users don't copy an over-permissioned template.

4. Behavioral change: --allow-dirty is gone

The previous workflow ran cargo package --allow-dirty. The new one doesn't pass --allow-dirty to cargo publish. This is a (good) tightening, but any caller relying on publishing with uncommitted/generated files in the worktree will start failing verification. Worth calling out in the PR description, or expose allow-dirty as an opt-in input if there's a real use case.

5. Behavioral change: runner switched from GitHub-hosted to self-hosted

Old: runs-on: ubuntu-24.04-arm (GitHub-hosted). New: runs-on: { group: init4-runners }. Consistent with the rest of the repo, but means external/community repos using this reusable workflow won't have access. Worth noting in the PR description.

Nits

• Token validation runs late: the CARGO_REGISTRY_TOKEN guard fires inside the publish step, after checkout / ssh-agent / toolchain / cache setup. If you want fail-fast UX, lift it into a tiny pre-flight step right after checkout. Not blocking.
• Workspace edge case: docs say "When empty, publishes the root crate." For a virtual workspace manifest (no [package] in root Cargo.toml), cargo publish errors without --package. Worth a sentence in the docs.
• docs/release-crates.md: top "Required Configuration" snippet shows secrets: CARGO_REGISTRY_TOKEN but doesn't mention it's optional when dry-run: true. The "Optional Secrets" section says so; a one-liner inline would help.

Verdict

LGTM with the v0.10.0 ssh-agent bump and deletion of examples/example-cargo-publish.yml. Everything else is optional polish.