Add GitHub Action for crates.io publishing with manual approval

tdi · claude · tdi · commit 1da4e840153f · 2025-08-24T16:57:41.000+02:00
- Create publish.yml workflow for releasing to crates.io - Requires manual approval via 'crates-io' environment - Supports both manual trigger and release event trigger - Verifies version, runs tests, and validates package before publish - Uses CARGO_REGISTRY_TOKEN secret for authentication - Builds release artifacts for Linux and macOS after publishing - Add comprehensive setup documentation in docs/GITHUB_SETUP.md The workflow ensures safe publishing with: - Version verification - Test suite validation - Manual approval gate - Automatic binary builds - SHA256 checksums for releases 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,224 @@
+name: Publish to crates.io
+
+on:
+  release:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish (e.g., 0.1.0)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  verify:
+    name: Verify Release
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+    
+    - name: Get version
+      id: get_version
+      run: |
+        if [ "${{ github.event_name }}" == "release" ]; then
+          VERSION="${{ github.event.release.tag_name }}"
+          VERSION="${VERSION#v}"  # Remove 'v' prefix if present
+        else
+          VERSION="${{ github.event.inputs.version }}"
+        fi
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
+        
+        # Verify version in Cargo.toml matches
+        CARGO_VERSION=$(grep "^version" Cargo.toml | sed 's/version = "\(.*\)"/\1/')
+        if [ "$CARGO_VERSION" != "$VERSION" ]; then
+          echo "Error: Cargo.toml version ($CARGO_VERSION) doesn't match release version ($VERSION)"
+          exit 1
+        fi
+        echo "✅ Version $VERSION confirmed"
+    
+    - name: Check crate name availability
+      run: |
+        if curl -s https://crates.io/api/v1/crates/ccagents | grep -q '"name":"ccagents"'; then
+          echo "✅ Crate already exists, will publish new version"
+        else
+          echo "✅ Crate name is available for first publish"
+        fi
+    
+    - name: Run tests
+      run: |
+        cargo test --all-features
+        cargo clippy -- -D warnings
+        cargo fmt -- --check
+    
+    - name: Verify package
+      run: |
+        cargo publish --dry-run
+        echo "✅ Package verification successful"
+
+  publish-crates:
+    name: Publish to crates.io
+    needs: verify
+    runs-on: ubuntu-latest
+    environment: crates-io
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+    
+    - name: Publish to crates.io
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      run: |
+        cargo publish --token "$CARGO_REGISTRY_TOKEN"
+        echo "✅ Published version ${{ needs.verify.outputs.version }} to crates.io"
+    
+    - name: Wait for crates.io
+      run: |
+        echo "Waiting for crates.io to index the new version..."
+        sleep 30
+        
+    - name: Verify publication
+      run: |
+        VERSION="${{ needs.verify.outputs.version }}"
+        if curl -s https://crates.io/api/v1/crates/ccagents | grep -q "\"max_version\":\"$VERSION\""; then
+          echo "✅ Version $VERSION successfully published to crates.io"
+        else
+          echo "⚠️ Version may still be indexing on crates.io"
+        fi
+
+  create-release-artifacts:
+    name: Create Release Artifacts
+    needs: [verify, publish-crates]
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            binary_name: ccagents
+            asset_name: ccagents-linux-amd64
+          
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-musl
+            binary_name: ccagents
+            asset_name: ccagents-linux-musl-amd64
+          
+          - os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            binary_name: ccagents
+            asset_name: ccagents-linux-arm64
+          
+          - os: macos-latest
+            target: x86_64-apple-darwin
+            binary_name: ccagents
+            asset_name: ccagents-macos-amd64
+          
+          - os: macos-latest
+            target: aarch64-apple-darwin
+            binary_name: ccagents
+            asset_name: ccagents-macos-arm64
+
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        targets: ${{ matrix.target }}
+    
+    - name: Install cross-compilation tools
+      if: matrix.target == 'aarch64-unknown-linux-gnu'
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y gcc-aarch64-linux-gnu
+    
+    - name: Install musl tools
+      if: matrix.target == 'x86_64-unknown-linux-musl'
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y musl-tools
+    
+    - name: Build
+      run: cargo build --release --target ${{ matrix.target }}
+    
+    - name: Strip binary (Linux/macOS)
+      if: matrix.os != 'windows-latest'
+      run: |
+        strip target/${{ matrix.target }}/release/${{ matrix.binary_name }}
+    
+    - name: Create archive
+      run: |
+        cd target/${{ matrix.target }}/release
+        tar czf ../../../${{ matrix.asset_name }}.tar.gz ${{ matrix.binary_name }}
+        cd ../../../
+        sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.tar.gz.sha256
+    
+    - name: Upload to release
+      if: github.event_name == 'release'
+      uses: softprops/action-gh-release@v1
+      with:
+        files: |
+          ${{ matrix.asset_name }}.tar.gz
+          ${{ matrix.asset_name }}.tar.gz.sha256
+    
+    - name: Upload artifacts (manual trigger)
+      if: github.event_name == 'workflow_dispatch'
+      uses: actions/upload-artifact@v3
+      with:
+        name: binaries-${{ matrix.asset_name }}
+        path: |
+          ${{ matrix.asset_name }}.tar.gz
+          ${{ matrix.asset_name }}.tar.gz.sha256
+
+  create-tag:
+    name: Create Git Tag
+    needs: [verify, publish-crates]
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    
+    - name: Configure Git
+      run: |
+        git config user.name "GitHub Actions"
+        git config user.email "actions@github.com"
+    
+    - name: Create and push tag
+      run: |
+        VERSION="${{ needs.verify.outputs.version }}"
+        git tag -a "v$VERSION" -m "Release version $VERSION"
+        git push origin "v$VERSION"
+        echo "✅ Created tag v$VERSION"
+    
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v1
+      with:
+        tag_name: v${{ needs.verify.outputs.version }}
+        name: v${{ needs.verify.outputs.version }}
+        body: |
+          ## 🚀 Released to crates.io
+          
+          Version ${{ needs.verify.outputs.version }} has been published to [crates.io](https://crates.io/crates/ccagents).
+          
+          ### Installation
+          
+          ```bash
+          cargo install ccagents
+          ```
+          
+          ### Changes
+          
+          See [CHANGELOG.md](https://github.com/Bitropy/ccagents/blob/main/CHANGELOG.md) for details.
+        draft: false
+        prerelease: false
diff --git a/docs/GITHUB_SETUP.md b/docs/GITHUB_SETUP.md
@@ -0,0 +1,110 @@
+# GitHub Repository Setup for Publishing
+
+This guide explains how to configure your GitHub repository for automated publishing to crates.io.
+
+## 1. Create the crates-io Environment
+
+1. Go to your repository settings: `https://github.com/Bitropy/ccagents/settings/environments`
+2. Click **"New environment"**
+3. Name it exactly: `crates-io`
+4. Configure the environment:
+   - ✅ **Required reviewers**: Add yourself or team members who should approve releases
+   - ✅ **Deployment branches**: Restrict to `main` branch only
+5. Click **"Save protection rules"**
+
+## 2. Add the CARGO_REGISTRY_TOKEN Secret
+
+### Get your crates.io token:
+1. Login to [crates.io](https://crates.io) with your GitHub account
+2. Go to [Account Settings](https://crates.io/me)
+3. Click on **"API Tokens"**
+4. Click **"New Token"**
+5. Name it: `ccagents-github-actions`
+6. Copy the token (you won't see it again!)
+
+### Add to GitHub:
+1. Go to `https://github.com/Bitropy/ccagents/settings/secrets/actions`
+2. Click **"New repository secret"**
+3. Name: `CARGO_REGISTRY_TOKEN`
+4. Value: Paste your crates.io token
+5. Click **"Add secret"**
+
+## 3. How to Use the Workflows
+
+### Option 1: Manual Release (Recommended for first release)
+
+1. Go to the **Actions** tab
+2. Select **"Publish to crates.io"** workflow
+3. Click **"Run workflow"**
+4. Enter the version (e.g., `0.1.0`)
+5. Click **"Run workflow"**
+6. Wait for the `verify` job to complete
+7. Go to the workflow run and **approve** the `crates-io` environment
+8. The workflow will:
+   - Publish to crates.io
+   - Create a git tag
+   - Create a GitHub release with binaries
+
+### Option 2: Release via GitHub UI
+
+1. Go to **Releases**
+2. Click **"Create a new release"**
+3. Create a new tag (e.g., `v0.1.0`)
+4. Fill in release notes
+5. Click **"Publish release"**
+6. The workflow will trigger automatically
+7. Approve the `crates-io` environment when prompted
+
+## 4. Workflow Features
+
+### The publish workflow (`publish.yml`):
+
+- **Verify stage**: 
+  - Checks version consistency
+  - Runs tests and clippy
+  - Validates package with `cargo publish --dry-run`
+
+- **Manual approval**: 
+  - Requires approval for the `crates-io` environment
+  - Prevents accidental publishes
+
+- **Publish stage**:
+  - Publishes to crates.io
+  - Only runs after approval
+
+- **Release artifacts**:
+  - Builds binaries for Linux (x64, ARM64) and macOS (x64, ARM64)
+  - Creates tar.gz archives with SHA256 checksums
+  - Uploads to GitHub release
+
+## 5. Version Management
+
+Before releasing:
+
+1. Update version in `Cargo.toml`
+2. Update `CHANGELOG.md`
+3. Commit changes: `git commit -am "Bump version to 0.1.0"`
+4. Push to main: `git push origin main`
+5. Then trigger the release workflow
+
+## 6. Troubleshooting
+
+### "Environment not found"
+- Make sure you created the `crates-io` environment exactly as named
+
+### "Secret not found"
+- Verify `CARGO_REGISTRY_TOKEN` is added as a repository secret
+
+### "Version mismatch"
+- Ensure Cargo.toml version matches the version you're trying to release
+
+### "Package already published"
+- You cannot republish the same version
+- Bump the version in Cargo.toml
+
+## Security Notes
+
+- Never commit the CARGO_REGISTRY_TOKEN
+- Limit the token's scope if possible
+- Rotate tokens periodically
+- Use environment protection rules to control who can publish
