Skip to content

chore: release hotdata v0.8.1 (#87) #11

chore: release hotdata v0.8.1 (#87)

chore: release hotdata v0.8.1 (#87) #11

Workflow file for this run

name: Publish to crates.io
on:
push:
tags:
- 'v[0-9]*'
concurrency:
group: crates-publish-${{ github.ref_name }}
cancel-in-progress: false
permissions:
contents: read
# Required for the OIDC token exchange (Trusted Publishing). The job presents a
# short-lived OIDC identity that crates.io trades for a ~30-minute API token, so
# no long-lived CRATES_IO_TOKEN secret is stored anywhere.
id-token: write
jobs:
publish:
name: Publish to crates.io
runs-on: ubuntu-latest
environment:
name: crates-io
url: https://crates.io/crates/hotdata
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
toolchain: stable
- name: Verify tag matches Cargo.toml version
run: |
set -euo pipefail
if [[ ! "$GITHUB_REF_NAME" =~ ^v[0-9] ]]; then
echo "Release tag '$GITHUB_REF_NAME' must start with 'v' followed by a digit (e.g. v1.0.0)" >&2
exit 1
fi
tag="${GITHUB_REF_NAME#v}"
pkg_version=$(cargo metadata --no-deps --format-version 1 \
| jq -r '.packages[] | select(.name=="hotdata") | .version')
if [ "$tag" != "$pkg_version" ]; then
echo "Release tag ($tag) does not match Cargo.toml version ($pkg_version)" >&2
exit 1
fi
# Dry-run with all features is the twine-check analog: it packages the
# crate and verifies it builds in the published form (including the
# optional arrow surface) before the real publish.
- name: Verify package builds (dry run)
run: cargo publish --dry-run --all-features
# Exchange the job's OIDC identity for a short-lived crates.io token. The
# crate's Trusted Publishing config (owner/repo/workflow/environment) must
# match this job, or the exchange is rejected.
- name: Authenticate to crates.io (Trusted Publishing)
id: auth
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
- name: Publish to crates.io
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
# --all-features mirrors the dry-run so the pre-upload verify build
# also compiles the optional arrow surface.
run: cargo publish --all-features
# Announce the release in #deploy. Runs only when the publish above
# succeeded. Posts via the shared Hotdata CI Slack app (bot token), so the
# same SLACK_CI_BOT_TOKEN org secret drives notifications across SDK repos.
- name: "Notify #deploy on Slack"
# The publish above is irreversible, so a Slack/token hiccup must not
# mark a successful release as failed and trigger false-alarm retries.
continue-on-error: true
env:
SLACK_CI_BOT_TOKEN: ${{ secrets.SLACK_CI_BOT_TOKEN }}
run: |
set -euo pipefail
if [ -z "${SLACK_CI_BOT_TOKEN:-}" ]; then
echo "SLACK_CI_BOT_TOKEN not set; skipping Slack notification" >&2
exit 0
fi
version="${GITHUB_REF_NAME#v}"
text=":package: *hotdata* \`v${version}\` published to crates.io — <https://crates.io/crates/hotdata/${version}|crates.io> · <https://github.com/${GITHUB_REPOSITORY}/releases/tag/${GITHUB_REF_NAME}|release notes>"
# #deploy channel ID (rename-proof). chat.postMessage returns HTTP 200
# even on logical errors, so capture the body and assert on .ok —
# echoing Slack's error makes a swallowed (continue-on-error) miss
# debuggable in the job log instead of disappearing silently.
response="$(curl -sS -X POST https://slack.com/api/chat.postMessage \
-H "Authorization: Bearer ${SLACK_CI_BOT_TOKEN}" \
-H 'Content-Type: application/json; charset=utf-8' \
--data "$(jq -n --arg ch 'C0ARK84E1D4' --arg text "$text" '{channel:$ch, text:$text}')")"
if ! jq -e '.ok' >/dev/null <<<"$response"; then
echo "Slack notification failed: $(jq -r '.error // "unknown"' <<<"$response")" >&2
exit 1
fi