Skip to content

ci: Add release workflow and documentation #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
arcjet-rei wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ci: Add release workflow and documentation #176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39ee61d
chore: Add Renovate configuration for automated dependency updates
arcjet-rei Mar 12, 2026
6322acc
ci: Add release workflow and documentation for publishing to crates.io
arcjet-rei Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: Release

on:
push:
tags:
- "v*"

permissions:
contents: write

jobs:
test:
name: Test before release
runs-on: ubuntu-latest
steps:
- name: Step Security
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
objects.githubusercontent.com:443
release-assets.githubusercontent.com:443
github.com:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
proxy.golang.org:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: stable

- name: Install Rust
uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
with:
toolchain: stable

- name: cargo build
run: cargo build --locked --verbose
env:
CARGO_TERM_COLOR: always

- name: cargo test
run: cargo test --locked --verbose
env:
CARGO_TERM_COLOR: always

- name: go test
run: |
go generate ./...
go test ./...

- name: run snapshot tests
run: cargo test --locked --verbose --test cli

publish:
name: Publish to crates.io
needs: test
runs-on: ubuntu-latest
Copy link
Copy Markdown
Contributor

@davidmytton davidmytton Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you put this into an environment then we can set the secret there and have a manual step to have someone else approve the release like we do with JS and PY SDKs

https://github.com/arcjet/arcjet-py/blob/239a23fef0cd417640b1c6ec7861ebd21a7dab6e/.github/workflows/release.yml#L14-L16

steps:
- name: Step Security
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
crates.io:443
index.crates.io:443
static.crates.io:443
static.rust-lang.org:443
github.com:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Rust
uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
with:
toolchain: stable

- name: Publish
Copy link
Copy Markdown
Contributor

@davidmytton davidmytton Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use trusted publishing instead?

https://crates.io/docs/trusted-publishing

run: cargo publish -p arcjet-gravity --locked
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
CARGO_TERM_COLOR: always

github-release:
name: Create GitHub Release
needs: publish
runs-on: ubuntu-latest
steps:
- name: Step Security
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}
run: gh release create "${{ github.ref_name }}" --generate-notes
44 changes: 44 additions & 0 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Release

Publishing to crates.io is automated via GitHub Actions but requires a manual
tag push to initiate.

## Prerequisites

A `CARGO_REGISTRY_TOKEN` secret must be configured in the repository's GitHub
settings (Settings → Secrets and variables → Actions). This token must have
publish permissions for the `arcjet-gravity` crate on crates.io.

## Process

It looks like this:

1. Update the version in `cmd/gravity/Cargo.toml` and land the change on `main`.
2. Tag the release commit and push the tag:
```sh
git tag v0.1.0
git push origin v0.1.0
```
3. The [Release workflow](.github/workflows/release.yml) runs automatically:
1. **Test** — runs the full test suite (cargo test, go test, snapshot tests).
2. **Publish** — publishes `arcjet-gravity` to crates.io.
3. **GitHub Release** — creates a GitHub Release with auto-generated notes.
4. Verify the release on [crates.io](https://crates.io/crates/arcjet-gravity)
and on the repository's
[Releases page](https://github.com/arcjet/gravity/releases).

## Versioning

This project follows [Semantic Versioning](https://semver.org/). While the
project is in early development (`0.x`), minor version bumps may include
breaking changes.

## Troubleshooting

- **Publish fails with permission error**: check that the `CARGO_REGISTRY_TOKEN`
secret is set and the token has not expired.
- **Publish fails with version conflict**: the version in `Cargo.toml` must be
greater than the latest published version on crates.io. You cannot re-publish
a version that has already been published.
- **Tests fail**: the release is aborted. Fix the issue on `main`, delete the
tag (`git push origin :refs/tags/v0.1.0`), and start again.
49 changes: 49 additions & 0 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [":dependencyDashboardApproval"],
"enabledManagers": ["cargo", "github-actions"],
"minimumReleaseAge": "7 days",
"schedule": [],
"updateNotScheduled": false,
"semanticCommitScope": "",
"semanticCommitType": "deps",
"packageRules": [
{
"matchManagers": ["github-actions"],
"dependencyDashboardCategory": "GitHub Actions updates"
},
{
"matchManagers": ["cargo"],
"dependencyDashboardCategory": "Rust updates"
},
{
"matchDepTypes": ["devDependencies"],
"semanticCommitScope": "dev",
"semanticCommitType": "deps",
"automerge": true
},
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["lockFileMaintenance"],
"automerge": true
}
],
"lockFileMaintenance": {
"enabled": true
},
"prBodyTemplate": "{{{header}}}{{{table}}}{{{warnings}}}{{{notes}}}{{{changelogs}}}",
"prBodyColumns": ["Package", "Change"],
"ignorePresets": ["mergeConfidence:all-badges"],
"vulnerabilityAlerts": {
"groupName": null,
"dependencyDashboardApproval": true,
"rangeStrategy": "update-lockfile",
"commitMessageSuffix": "[security]",
"branchTopic": "{{{datasource}}}-{{{depNameSanitized}}}-vulnerability",
"prCreation": "immediate",
"vulnerabilityFixStrategy": "lowest"
}
}
Loading