ci: realign CI/release/publish workflows

[scarmuega]

Why

The GitHub Actions setup had drifted and carried a real bug: publish.yml triggered on workflow_run of the Release workflow, which itself runs on every pull request — so crates.io publish was attempted after essentially every PR's Release run, not just on real tag releases. CI (validate.yml) also used the deprecated actions-rs/* actions with no Rust caching.

This PR realigns things into a clean, modern set of workflows.

Changes

• CI — replace validate.yml with ci.yml:

  • Triggers on PRs + push to main, with a concurrency group that cancels superseded runs.
  • Jobs: fmt, clippy, test, and check on Windows (preserving the old cross-OS coverage).
  • Swatinem/rust-cache@v2 on every job, writing the cache only from main (save-if) so PRs read but don't pollute it.
  • New rust-toolchain.toml pins 1.89 + rustfmt/clippy as the single source of truth for CI, local dev, and dist.

• Release embeds publish — crates.io publish is now a cargo-dist publish-jobs reusable workflow (publish-crates.yml), wired into the regenerated release.yml as custom-publish-crates (needs: [plan, host], secrets: inherit). It runs only on a real tag release, after host succeeds, structurally eliminating the every-PR publish.

  • dist-workspace.toml: publish-jobs = ["homebrew", "./publish-crates"].
  • release.yml was regenerated with dist 0.29.0 (version-matched) — the diff is just the publish-crates job.

• Delete publish.yml — the broken workflow_run-triggered file.

• e2e — unchanged: stays a manual workflow_dispatch preliminary step, intentionally not wired into the release pipeline.

Verification

• All hand-written workflow YAML parses; release.yml is dist-generated and dist generate --check reports in-sync.
• No Rust source touched, so fmt/clippy/test behavior is unchanged from main (CI will exercise them on this PR).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Refactored CI/CD workflows to improve build reliability, consistency, and test coverage across all platforms
  • Upgraded Rust toolchain to version 1.89 with additional components for enhanced code quality checks
  • Streamlined crate publishing and release processes with improved workflow automation

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR replaces older validation and publish workflow paths with a new CI workflow, a reusable crates.io publish workflow, release-job wiring for that publish step, an updated dist publish job list, and a pinned Rust toolchain with lint and format components.

Changes

Workflow automation

Layer / File(s)	Summary
CI validation workflow .github/workflows/ci.yml, rust-toolchain.toml, .github/workflows/validate.yml	Adds a new CI workflow for formatting, clippy, tests, and Windows checks with shared environment settings and caching, pins Rust 1.89 with rustfmt/clippy, and replaces the prior validation workflow definition.
Release publishing flow .github/workflows/publish-crates.yml, .github/workflows/release.yml, dist-workspace.toml, .github/workflows/publish.yml	Adds a reusable crates.io publish workflow, registers it in dist publish jobs, invokes it conditionally from the release workflow, updates announcement gating to include it, and removes the prior standalone publish workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I tidied trails through CI snow,
With fmt and clippy set to go.
A publish burrow now runs in line,
Release bells ring when checks align.
I twitch my nose — all workflows shine.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: realign CI/release/publish workflows' directly and accurately summarizes the main changes—replacing validate.yml with ci.yml, restructuring the release/publish workflow architecture, and updating toolchain configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/realign-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/release.yml (1)

335-347: ⚡ Quick win

The elevated permissions may be unnecessary for crates.io publishing.

The custom-publish-crates job grants id-token: write and packages: write permissions. However, crates.io publishing only requires the CARGO_REGISTRY_TOKEN secret (which is provided via secrets: inherit).

• id-token: write is for OIDC/trusted publishing (not applicable to crates.io)
• packages: write is for GitHub Packages (not crates.io)

Consider removing the permissions block or restricting it to contents: read unless these elevated permissions are needed for a future use case.

🔒 Proposed fix to remove excessive permissions

   custom-publish-crates:
     needs:
       - plan
       - host
     if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
     uses: ./.github/workflows/publish-crates.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
     secrets: inherit
-    # publish jobs get escalated permissions
-    permissions:
-      "id-token": "write"
-      "packages": "write"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 335 - 347, The
`custom-publish-crates` job in the release.yml workflow has unnecessary elevated
permissions. Remove the `permissions` block (containing `id-token: write` and
`packages: write`) from this job since crates.io publishing only requires the
`CARGO_REGISTRY_TOKEN` secret provided via `secrets: inherit`. The `id-token`
permission is for OIDC/trusted publishing which is not applicable to crates.io,
and `packages` is for GitHub Packages which is also not needed. Either delete
the permissions block entirely or replace it with minimal permissions like
`contents: read` if any permission is needed.

.github/workflows/ci.yml (1)

1-81: ⚖️ Poor tradeoff

Consider tightening workflow security posture (optional improvements).

The workflow follows standard patterns but could adopt stricter security practices:

1. Pin actions to commit SHAs: Currently using version tags (@v4, @v3). Pinning to full commit hashes prevents supply-chain attacks via tag hijacking, though it increases maintenance overhead.

2. Restrict workflow permissions: Add a top-level permissions: block to limit the workflow to read-only access. The current default grants broader permissions than needed for CI checks.

3. Disable credential persistence: Set persist-credentials: false in all actions/checkout steps to prevent credentials from being accessible to subsequent steps or artifacts.

🔒 Example hardened configuration

 name: CI
+
+permissions:
+  contents: read

 on:
   pull_request:

     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

For SHA pinning, tools like Dependabot can automate updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 81, Harden the CI workflow by
applying the requested security improvements in the top-level workflow
definition: add a restrictive permissions block, set persist-credentials to
false on every actions/checkout step, and replace the version-tagged action
references used by actions/checkout, arduino/setup-protoc, and
Swatinem/rust-cache with pinned commit SHAs. Keep the existing job structure and
behavior unchanged while updating the workflow configuration.

.github/workflows/publish-crates.yml (1)

8-12: 💤 Low value

The plan input is declared but never used.

The workflow accepts a plan input (described as the cargo-dist release plan) but doesn't reference it anywhere. If the plan determines which packages to publish or provides metadata for the release, consider extracting and using that information. Otherwise, this input can be removed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-crates.yml around lines 8 - 12, The publish-crates
workflow declares a `plan` input but never uses it; update the `publish-crates`
job/workflow logic to either consume the `plan` value in the relevant publishing
steps (for example in the main publish path that uses cargo-dist release
metadata) or remove the unused `plan` input from the workflow definition if it
is not needed anywhere.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 1-81: Harden the CI workflow by applying the requested security
improvements in the top-level workflow definition: add a restrictive permissions
block, set persist-credentials to false on every actions/checkout step, and
replace the version-tagged action references used by actions/checkout,
arduino/setup-protoc, and Swatinem/rust-cache with pinned commit SHAs. Keep the
existing job structure and behavior unchanged while updating the workflow
configuration.

In @.github/workflows/publish-crates.yml:
- Around line 8-12: The publish-crates workflow declares a `plan` input but
never uses it; update the `publish-crates` job/workflow logic to either consume
the `plan` value in the relevant publishing steps (for example in the main
publish path that uses cargo-dist release metadata) or remove the unused `plan`
input from the workflow definition if it is not needed anywhere.

In @.github/workflows/release.yml:
- Around line 335-347: The `custom-publish-crates` job in the release.yml
workflow has unnecessary elevated permissions. Remove the `permissions` block
(containing `id-token: write` and `packages: write`) from this job since
crates.io publishing only requires the `CARGO_REGISTRY_TOKEN` secret provided
via `secrets: inherit`. The `id-token` permission is for OIDC/trusted publishing
which is not applicable to crates.io, and `packages` is for GitHub Packages
which is also not needed. Either delete the permissions block entirely or
replace it with minimal permissions like `contents: read` if any permission is
needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1ae5ad4-81e6-415c-b26d-25ea7393c8c5

📥 Commits

Reviewing files that changed from the base of the PR and between f8d19a2 and 4b13eab.

📒 Files selected for processing (7)

• .github/workflows/ci.yml
• .github/workflows/publish-crates.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .github/workflows/validate.yml
• dist-workspace.toml
• rust-toolchain.toml

💤 Files with no reviewable changes (2)

• .github/workflows/publish.yml
• .github/workflows/validate.yml