ci: add Rust release workflows for aws-db-esdk#2280
Conversation
Publishes the aws-db-esdk crate to crates.io via GitHub Actions using a crates.io API token issued under the Crypto Tools CI bot account (stored as the CARGO_REGISTRY_TOKEN repo secret, gated by the crates-io-publish environment). Manual workflow_dispatch only. Version is taken from Cargo.toml; the optional input acts as a typo safeguard. Towards: P432256706
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
There was a problem hiding this comment.
Pull request overview
Adds a manual Rust release workflow to publish the releases/rust/db_esdk crate (aws-db-esdk) to crates.io via an environment-gated Cargo registry token.
Changes:
- Adds a
workflow_dispatch-only Rust release workflow. - Reads and optionally validates the crate version before publishing.
- Performs a Cargo dry run, then publishes using
CARGO_REGISTRY_TOKEN.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Match existing repo workflow style (Setup Rust Toolchain naming, explicit shell: bash, longpaths step, actions/checkout@v6 unnamed). - Drop --locked: releases/rust/db_esdk/ does not commit Cargo.lock per start_release.sh; --locked would always fail. - Replace fragile python3 cargo metadata parsing with jq. - Run `./test_published.sh` after publishing (RELEASE.md step 9), with AWS creds for the KMS/DDB calls in examples/main.rs. - Poll crates.io for the new version before running test_published.sh to mitigate index propagation lag.
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
- Add rust-start-release.yml that runs DynamoDbEncryption/runtimes/rust/ start_release.sh end-to-end on a CI runner and opens a release PR, removing the need to run start_release.sh on a developer laptop (RELEASE.md steps 1-6). - rust-release.yml continues to handle steps 7-10 (cargo publish + test_published.sh) and is intended to be dispatched on the release PR's branch before merging, per RELEASE.md. - Drop the silent leading-'v' strip in rust-release.yml's version check; N.N.N is the only valid form (per start_release.sh's regex), so accepting 'v1.2.5' contradicted the input description.
lucasmcdonald3
changed the title
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
Address PR review feedback: - Drop the misleading 'or after merging' option from the generated PR body; rust-release.yml must run on the unmerged PR's branch. - Hard-fail dispatch on a non-default branch via 'if' guard, and pass ref: main explicitly to actions/checkout to avoid mixing in unrelated branch changes when someone dispatches from a feature branch. - Push the release branch and open the PR using the Crypto Tools CI bot's PAT (pulled from AWS Secrets Manager via the existing GitHub-CI-CI-Bot-Credential-Access-Role) instead of the default GITHUB_TOKEN, so the resulting pull_request event triggers the repo's normal required-checks workflows. Mirrors semantic_release.yml.
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
|
Detected changes to the release files or to the check-files action |
|
Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS |
Issue #, if available:
Description of changes:
Adds two GHA workflows that move RELEASE.md off developer laptops:
rust-start-release.ymlregeneratesreleases/rust/db_esdk/and opens the release PR (steps 1–6), andrust-release.ymlpublishesaws-db-esdkto crates.io and runstest_published.shon the release PR's branch (steps 7–10).Squash/merge commit message, if applicable:
ci: add Rust release workflows for aws-db-esdk
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.