ci: cut over release-please to Rust binary + npm trusted publishing#42
Conversation
Re-point the release pipeline from the deprecated TypeScript line to the actually-published artifact (`npm/csp` distributing the Rust binary), and fix the first release version. - release-please-config.json: pin first release via `initial-version: 0.1.0` (manifest is 0.0.0, so release-please ignored the pre-major bump flags and defaulted to 1.0.0); track the real sources via extra-files — npm/csp package.json (json) and Cargo.toml (generic), dropping the dead src/version.ts. - Cargo.toml: annotate the workspace version line so release-please bumps it; both crates use version.workspace=true, so one line covers them. - package.json (root): mark private to prevent accidental publish of the unpublished TS package that shares the @pleaseai/csp name. - release-rust.yml: add workflow_call so it can be reused by the release pipeline. - release-please.yml: replace the TS `bun build` job with a reusable Rust build (6 targets) + a publish-npm job that generates the per-platform packages and publishes them via npm Trusted Publishing (OIDC, no NPM_TOKEN; provenance automatic). Homebrew job now depends on the Rust build+upload.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThe release pipeline is refactored: ChangesRelease Pipeline Refactor
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request configures release-please by marking the package as private, setting an initial version, and updating the tracked extra-files. The review feedback highlights that src/version.ts was removed from the release configuration but still exists in the repository, which could lead to version mismatches if it is still active.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
eslint yaml/plain-scalar flagged the quoted description on the reused workflow_call input.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found and verified against the latest diff
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-please.yml:
- Around line 92-94: The actions/checkout action in the publish job is using
default settings which persist Git credentials, creating unnecessary security
exposure. Modify the checkout step (the one at lines 92-94 with
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) by adding a with
parameter to explicitly disable credential persistence with persist-credentials:
false, since this job does not perform any git push operations.
- Around line 73-77: The workflow call to release-rust.yml uses `secrets:
inherit` which passes all available secrets to the called workflow, violating
least-privilege principles. Replace `secrets: inherit` with an explicit secrets
mapping that only passes the GITHUB_TOKEN secret that is actually needed for the
release job, similar to how `secrets: { GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }
}` would restrict access to only what is required.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: c969862e-96d1-4cb6-896a-9c038add038d
📒 Files selected for processing (5)
.github/workflows/release-please.yml.github/workflows/release-rust.ymlCargo.tomlpackage.jsonrelease-please-config.json
- re-add src/version.ts to extra-files (still imported by src/cli.ts + src/index.ts; would otherwise freeze at 0.0.0) — gemini, cubic - drop secrets: inherit from the reusable workflow call (github.token is available without it; least-privilege) — coderabbit - set persist-credentials: false on the publish-npm checkout (read+publish only, never pushes) — coderabbit
1 participant
Summary
Re-points the release pipeline from the deprecated TypeScript line to the actually-published artifact (
npm/cspdistributing the Rust binary), and fixes the first release version (currently resolving to1.0.0on #41).Why
1.0.0instead of0.1.0.release-please-manifest.jsonis0.0.0, which release-please treats as a bootstrap state. On the first release it ignoresbump-minor-pre-major/bump-patch-for-minor-pre-majorand falls back to its default initial version (1.0.0).initial-version: 0.1.0pins it.Changes
initial-version: 0.1.0;extra-filesnow tracknpm/csp/package.json(json) +Cargo.toml(generic), dropping deadsrc/version.ts.[workspace.package] versionfor release-please bump (both crates useversion.workspace = true).private: true— prevents accidental publish of the unpublished TS package sharing the@pleaseai/cspname.workflow_call(reusable).bun buildjob with reusable Rust build (6 targets) +publish-npmjob that runsgenerate-platform-packages.mjsand publishes via **npm Trusted Publishing (OIDC, no token, automatic provenance)`. Homebrew job depends on the Rust build.Version flow (single line)
release-please 0.1.0→ Cargo workspace version (csp --version) →npm/csp+ generated platform packages + optionalDependencies pins → GH release tag → Homebrew.Verified locally with a dry-run of
generate-platform-packages.mjs 0.1.0: 6 platform packages + wrapper all stamped0.1.0, optionalDependencies pinned consistently.@pleaseai/csp+ 6 platform packages) on npmjs.com → Repositorypleaseai/code-search, Workflowrelease-please.yml. Note the first-publish bootstrapping caveat for not-yet-existing package names.0.1.0— merge that updated PR (do not merge chore(main): release 0.1.0 #41 as-is).Test plan
generate-platform-packages.mjsdry-run produces expected dist tree + version stampingSummary by cubic
Cut over the release pipeline to build and ship the Rust binary and publish
@pleaseai/cspvia npm Trusted Publishing. Pins the first release to 0.1.0 and keeps versions aligned across Cargo andnpm/csp.Refactors
release-rust.ymlthat cross-compiles 6 targets and uploads assets; exposeworkflow_call.persist-credentials: false.initial-version: 0.1.0; track versions innpm/csp/package.json,Cargo.toml(annotated), and re-addsrc/version.ts; mark the rootpackage.jsonasprivate.Migration
@pleaseai/cspand all platform packages pointing to this repo andrelease-please.yml.Written for commit 92f504f. Summary will update on new commits.
Summary by CodeRabbit