Skip to content

Sync Cargo.lock before cargo build --locked in release workflow#204

Merged
xlc merged 1 commit into
AcalaNetwork:masterfrom
rockbmb:harden-release-yml
May 21, 2026
Merged

Sync Cargo.lock before cargo build --locked in release workflow#204
xlc merged 1 commit into
AcalaNetwork:masterfrom
rockbmb:harden-release-yml

Conversation

@rockbmb
Copy link
Copy Markdown
Contributor

@rockbmb rockbmb commented May 21, 2026
edited
Loading

What happened

The release for v0.1.1 was tagged with Cargo.toml bumped to 0.1.1 but with Cargo.lock still listing 0.1.0.
cargo build --release --locked failed against the mismatch, Publish GitHub Release was skipped, and v0.1.1 was created with no assets.

Why this is needed

scripts/release.sh regenerates Cargo.lock (cargo check) before the tag is pushed, so the scripted path is already safe. The fix adds the same guarantee for any tag that bypasses the script (manual Cargo.toml edit + tag push, or any other lockfile drift): a cargo update --workspace step before the build keeps Cargo.lock in sync with the workspace Cargo.toml, and --locked still enforces no drift in transitive deps.

Without it, a mistake at tag time silently produces an empty release.

@rockbmb
Sync Cargo.lock before cargo build --locked in release workflow
aac8405 
The release for v0.1.1 was tagged with a Cargo.toml bumped to 0.1.1
but Cargo.lock still listing 0.1.0; `cargo build --locked` failed,
the Publish GitHub Release step was skipped, and the release was
created with no assets attached.

`scripts/release.sh` regenerates Cargo.lock before the tag is
pushed, so the common path is already safe. This step adds a
fallback so a tag created without going through that script (or
where the lockfile drifted for any other reason) still produces
a release artifact instead of an empty release object.
@rockbmb
Copy link
Copy Markdown
Contributor Author

rockbmb commented May 21, 2026
edited
Loading

@xlc — two requests:

  1. Review and merge this PR.
  2. Re-cut v0.1.1 if possible, so the release workflow produces the x86_64-unknown-linux-musl.tar.gz artifact.

Context: v0.1.1's tag points at 0ade3dc ("Bump version to 0.1.1"), where Cargo.lock still listed 0.1.0. cargo build --release --locked failed there and the release published no assets.

Downstream CI (polkadot-fellows/runtimes#1180, open-web3-stack/polkadot-ecosystem-tests#622) currently consumes Subway via docker create + docker cp on acala/subway:v0.1.1 because no .tar.gz exists. With a working v0.1.1 artifact, both can drop the docker workaround and switch to curl | tar -xz.

@rockbmb rockbmb mentioned this pull request May 21, 2026
Open
1 task
@xlc xlc merged commit 8d4a28a into AcalaNetwork:master May 21, 2026
2 checks passed
@xlc
Copy link
Copy Markdown
Member

xlc commented May 21, 2026

I made v0.1.2 release instead of trying to figure out how to re-release v0.1.1

@rockbmb rockbmb deleted the harden-release-yml branch May 21, 2026 22:42
@rockbmb
Copy link
Copy Markdown
Contributor Author

rockbmb commented May 21, 2026

@xlc works for me; thanks 👍

rockbmb added a commit to rockbmb/runtimes that referenced this pull request May 21, 2026
@rockbmb
Bump Subway Docker image tag to v0.1.2
615699c 
`acala/subway:v0.1.2` is the first release tag with a working
release artifact ([the v0.1.1 build was tagged with a stale
`Cargo.lock`](https://github.com/AcalaNetwork/subway/actions/runs/26141877372)
and AcalaNetwork/subway#204 fixed the release workflow). The next
commit drops the Docker-extract workaround in favour of the
attached `.tar.gz` asset; bumping the tag separately keeps that
diff easy to review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xlc xlc xlc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rockbmb @xlc