Skip to content

refactor crates.io #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rymcol wants to merge 2 commits into
base: main
Choose a base branch
from
Open

refactor crates.io #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5e0c182
refactor crates.io
rymcol Apr 13, 2026
a799984
add PR review suggestions from /review
rymcol Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 71 additions & 18 deletions .github/workflows/release-crates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,77 @@
name: Release Crates
on:
workflow_call:
inputs:
package:
description: 'Specific package to publish (for workspaces). When empty, publishes the root crate.'
required: false
default: ''
type: string
dry-run:
description: 'Run cargo publish with --dry-run instead of actually publishing'
required: false
default: false
type: boolean
requires-private-deps:
description: 'Requires private dependencies to be fetched, sets up ssh-agent'
required: false
default: false
type: boolean
require-lockfile:
description: 'Require a Cargo.lock file to be present; passes --locked to cargo'
required: false
default: false
type: boolean
secrets:
CARGO_REGISTRY_TOKEN:
description: 'The crates.io API token used to publish'
required: false
SSH_PRIVATE_KEY:
description: 'SSH private key for fetching private dependencies'
required: false
SSH_PRIVATE_KEY_2:
description: 'SSH private key for fetching private dependencies'
required: false
SSH_PRIVATE_KEY_3:
description: 'SSH private key for fetching private dependencies'
required: false

permissions:
contents: write
permissions: {}

jobs:
release_crates:
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Cargo Build Release
run: cargo build --release
- name: Cargo Package
run: cargo package --allow-dirty
- name: Publish to Crates.io
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

release_crates:
runs-on:
group: init4-runners
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Setup ssh-agent
if: ${{ inputs.requires-private-deps == true }}
uses: webfactory/ssh-agent@v0.9.1
with:
ssh-private-key: |
${{ secrets.SSH_PRIVATE_KEY }}
${{ secrets.SSH_PRIVATE_KEY_2 }}
${{ secrets.SSH_PRIVATE_KEY_3 }}
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Publish to crates.io
env:
CARGO_NET_GIT_FETCH_WITH_CLI: true
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
PACKAGE: ${{ inputs.package }}
LOCKED: ${{ inputs.require-lockfile }}
DRY_RUN: ${{ inputs.dry-run }}
run: |
if [ "$DRY_RUN" != "true" ] && [ -z "$CARGO_REGISTRY_TOKEN" ]; then
echo "::error::CARGO_REGISTRY_TOKEN is required when dry-run is false"
exit 1
fi
args=()
[ -n "$PACKAGE" ] && args+=(--package "$PACKAGE")
[ "$LOCKED" = "true" ] && args+=(--locked)
[ "$DRY_RUN" = "true" ] && args+=(--dry-run)
cargo publish "${args[@]}"
58 changes: 58 additions & 0 deletions docs/release-crates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,64 @@
```yml
release-crates:
uses: init4tech/actions/.github/workflows/release-crates.yml@main
secrets:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
```

## Optional Parameters

### `package`

**Description:** Specific package to publish (for workspaces). When empty, publishes the root crate.

**Type**: `string`

**Default Value:** `''`

### `dry-run`

**Description:** Runs `cargo publish --dry-run` instead of actually publishing to crates.io

**Type**: `boolean`

**Default Value:** `false`

**Allowed values:** `false`, `true`

### `requires-private-deps`

**Description:** Will require the use of private dependencies in the repository, meaning an ssh key needs to be added to ssh-agent

**Type**: `boolean`

**Default Value:** `false`

**Allowed values:** `false`, `true`

### `require-lockfile`

**Description:** Will require a `Cargo.lock` file to be present and pass `--locked` to cargo. Note: many publishable libraries `.gitignore` `Cargo.lock`; only enable this if the lockfile is committed.

**Type**: `boolean`

**Default Value:** `false`

**Allowed values:** `false`, `true`

## Optional Secrets

### `CARGO_REGISTRY_TOKEN`

**Description:** The crates.io API token used to publish the crate. Required unless `dry-run` is set to `true`.

### `SSH_PRIVATE_KEY`

**Description:** The SSH private key to be used for private dependencies, required if `requires-private-deps` is set to `true`

### `SSH_PRIVATE_KEY_2`

**Description:** Additional SSH private key for private dependencies

### `SSH_PRIVATE_KEY_3`

**Description:** Additional SSH private key for private dependencies
27 changes: 19 additions & 8 deletions examples/example-release-crates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,29 @@
name: add binaries to release
name: Release crate to crates.io
on:
push:
tags:
- 'v*'
- 'v*'
# this will trigger anytime a tag is pushed matching the regex v* (v1.0.0, v2.0.0, etc.)

permissions:
contents: write

# this job will compile your rust project and publish the to crates.io
# the job will run the following steps:
# - cargo build --release
# - cargo package
# - cargo publish
# this job will publish your rust crate to crates.io via `cargo publish`.
jobs:
upload-binaries:
release-crates:
uses: init4tech/actions/.github/workflows/release-crates.yml@main
with:
# Uncomment to publish a specific workspace package
# package: my-crate
# Uncomment to require a committed Cargo.lock
# require-lockfile: true
# Uncomment when the crate depends on private git repositories
# requires-private-deps: true
# Uncomment to exercise the workflow without publishing
# dry-run: true
secrets:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
# Only needed when requires-private-deps is true
# SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
# SSH_PRIVATE_KEY_2: ${{ secrets.SSH_PRIVATE_KEY_2 }}
# SSH_PRIVATE_KEY_3: ${{ secrets.SSH_PRIVATE_KEY_3 }}