fix(release): OIDC fallback to token + correct shipper-cli wording#150
Conversation
…ng isn't configured
The v0.3.0-rc.2 tag push kicked off the release workflow but the
`Publish to crates.io (via shipper)` job failed at the OIDC token
exchange step:
Failed to retrieve token from Cargo registry. Status: 400.
Error: No Trusted Publishing config found for repository
`EffortlessMetrics/shipper`.
The downstream publish steps were already designed to fall back to
`secrets.CARGO_REGISTRY_TOKEN` via
`${{ steps.auth.outputs.token || secrets.CARGO_REGISTRY_TOKEN }}`,
but because the `rust-lang/crates-io-auth-action@v1` step had no
`continue-on-error`, the step's non-zero exit killed the whole job
before the fallback could kick in.
Add `continue-on-error: true` to all three invocations of the auth
action (publish-crates-io, release-resume, release-rehearse) so a
failed OIDC exchange cleanly falls through to the
`CARGO_REGISTRY_TOKEN` secret. Remove a duplicate `continue-on-error`
on the rehearse step that the replace_all created during the fix.
No actual `cargo publish` invocations happened on the failed rc.2
run — the auth step failed before any crate was pushed, so there's
no crates.io state to reconcile. Re-tagging v0.3.0-rc.2 against this
fixed main (or cutting rc.3) will take the token-auth path cleanly.
Also fixes wording drift that described `shipper-cli` as a
"compatibility shim." It is the real CLI adapter crate — owns clap
parsing, subcommand dispatch, help text, and progress rendering; the
`shipper` binary is a three-line wrapper over `shipper_cli::run()`.
Most users should install `shipper`, but `shipper-cli` is a first-
class adapter, not a deprecated shim. Updates:
- README.md — replace "compatibility shim" framing
- crates/shipper-cli/README.md — rename "Back-compat binary" section
- crates/shipper-cli/src/lib.rs — update `run()` doc comment
- docs/release-runbook.md — drop the "compatibility shim" phrasing
Per-crate Trusted Publishing config can be set up on crates.io
(crate → Settings → Trusted Publishing → Add) for 0.4.0; keeping
token auth for 0.3.0-rc.2 and 0.3.0 stable.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 35 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…lity Follow-on from the four-README rewrite. Two agents did the heavy lifting; this commit lands their work. docs/product.md: - Dropped the stale `What's shipped (v0.3.0-rc.1)` capability-status table (rows were either outdated or duplicated ROADMAP content). - Added a three-crate Product Shape section matching the new READMEs (shipper = install face, shipper-cli = adapter, shipper-core = engine). - Added a concise What Shipper Does Today section naming each of the nine competencies as present capabilities, pointing at ROADMAP for status and CHANGELOG for per-release detail instead of duplicating. - Expanded Compared to alternatives to include cargo publish --workspace (Cargo 1.90+). - Rewrote the Where to go from here table as role-based navigation, including an embedder row pointing at shipper-core. - Kept the identity sentence, the "intentionally narrow" framing, and the audience paragraph pattern — those were already steering-shaped. docs/release-runbook.md: - Dropped the `Current RC baseline: v0.3.0-rc.1 / 5beab9b` framing and the hardcoded `git tag -a v0.3.0-rc.1` example. - Replaced with a VERSION=$(cargo metadata...) pattern so operators tag from Cargo.toml rather than hardcoding per-release. - Updated crates-in-the-train to 13 with the new tier structure (tier 4 core → tier 5 cli → tier 6 install façade). - Reframed auth as "token fallback (primary today) / Trusted Publishing (target path)", matching what PR #150 actually landed and the live state of the crates.io-side TP registration. - Rewrote walk-back section to lead with `shipper plan-yank` / `shipper fix-forward`, manual `cargo yank` as fallback. - Deliberately kept the single link to release-v0.3.0-rc.1-manifest.md and the "as of rc.2" capability signal — both are intentionally version-pinned historical markers. Totals: docs/product.md 530 words, docs/release-runbook.md ~250 lines of version-agnostic procedure the operator can re-run for rc.3, 0.3.0 stable, 0.4.0, etc. without edits.
…ly (#152) * docs(readme): rewrite the four user-facing READMEs as a coherent family Each of the four READMEs was trying to do too many jobs (pitch, status bulletin, reference, architecture, examples, changelog), which made the landing pages stale, bloated, and internally inconsistent with the three-crate product story that #95 landed. This rewrite aligns them around one job per page. Role allocation after this PR: - README.md (root) — ROUTE. Problem statement, one quick-start, one "what Shipper doesn't do" boundary, links into Diátaxis docs. No release-history prose, no runtime metrics, no audience matrix, no config/CI walkthrough — those live in their own docs. - crates/shipper/README.md — INSTALL FACE. What users see on crates.io for the install target. Problem, install, four-command quick-start, pointer to the sibling crates for lean embedding. - crates/shipper-core/README.md — SDK PAGE. Grew from a 25-line positioning note to a proper embedder onboarding: when to pick it, what lives here, what doesn't, the API shape to expect, and a minimal code sketch. - crates/shipper-cli/README.md — ADAPTER PAGE. Deliberately the shortest. Tells users to install `shipper` first, shows when to reach for the adapter directly (custom wrappers, explicit install of `shipper-cli`), points lean embedders at `shipper-core`. Cut stable across all four: dated release-history prose, 41-retries / 69-minute run metrics, audience matrix, full command catalogs, long architecture narration. Those belong in CHANGELOG.md, roadmap, and the Diátaxis docs tree — not on landing pages. Totals: 497 → 219 lines (≈56% reduction) across the four files, while `shipper-core` actually grew because it was too thin before. Verified: - cargo check --workspace clean - grep for "compatibility shim" / rc.1 release prose / stale install commands returns no hits in the rewritten files. Follow-on: docs/release-runbook.md and docs/product.md still carry stale rc.1 references — out of scope for this PR; will follow in separate doc-cleanup work. * docs(steering): align product.md and release-runbook.md with rc.2 reality Follow-on from the four-README rewrite. Two agents did the heavy lifting; this commit lands their work. docs/product.md: - Dropped the stale `What's shipped (v0.3.0-rc.1)` capability-status table (rows were either outdated or duplicated ROADMAP content). - Added a three-crate Product Shape section matching the new READMEs (shipper = install face, shipper-cli = adapter, shipper-core = engine). - Added a concise What Shipper Does Today section naming each of the nine competencies as present capabilities, pointing at ROADMAP for status and CHANGELOG for per-release detail instead of duplicating. - Expanded Compared to alternatives to include cargo publish --workspace (Cargo 1.90+). - Rewrote the Where to go from here table as role-based navigation, including an embedder row pointing at shipper-core. - Kept the identity sentence, the "intentionally narrow" framing, and the audience paragraph pattern — those were already steering-shaped. docs/release-runbook.md: - Dropped the `Current RC baseline: v0.3.0-rc.1 / 5beab9b` framing and the hardcoded `git tag -a v0.3.0-rc.1` example. - Replaced with a VERSION=$(cargo metadata...) pattern so operators tag from Cargo.toml rather than hardcoding per-release. - Updated crates-in-the-train to 13 with the new tier structure (tier 4 core → tier 5 cli → tier 6 install façade). - Reframed auth as "token fallback (primary today) / Trusted Publishing (target path)", matching what PR #150 actually landed and the live state of the crates.io-side TP registration. - Rewrote walk-back section to lead with `shipper plan-yank` / `shipper fix-forward`, manual `cargo yank` as fallback. - Deliberately kept the single link to release-v0.3.0-rc.1-manifest.md and the "as of rc.2" capability signal — both are intentionally version-pinned historical markers. Totals: docs/product.md 530 words, docs/release-runbook.md ~250 lines of version-agnostic procedure the operator can re-run for rc.3, 0.3.0 stable, 0.4.0, etc. without edits.
Summary
Two connected fixes after the
v0.3.0-rc.2tag push failed at the crates.io OIDC exchange:continue-on-error: trueto therust-lang/crates-io-auth-action@v1step so a failed OIDC exchange cleanly falls through to theCARGO_REGISTRY_TOKENsecret. The downstream publish/preflight steps already readsteps.auth.outputs.token || secrets.CARGO_REGISTRY_TOKEN— the fallback was designed in but was unreachable because the auth step's non-zero exit killed the whole job.shipper-cliis the real CLI adapter crate, not a "compatibility shim." Fixes README, crate README, runbook, andrun()doc comment.What broke on rc.2
Trusted Publishing is a per-crate crates.io-side config (
crate → Settings → Trusted Publishing → Add). Our 13 crates aren't registered there yet. The workflow-side OIDC code landed in #96, but crates.io-side setup was never done.Nothing was published to crates.io — the OIDC failure happened before any
cargo publishinvocation. Theshipper-state-preflight.zipartifact uploaded cleanly; Shipper's own failure-state handling worked as designed.Path forward
For rc.2 / 0.3.x:
CARGO_REGISTRY_TOKENis set as a repository secret (you mentioned earlier it's available).v0.3.0-rc.2tag (no crates were published, so no state to reconcile), orv0.3.0-rc.3.For 0.4.0:
EffortlessMetrics/shipper, workflow:release.yml, environment:release).CARGO_REGISTRY_TOKENsecret.Wording fix scope
README.md— top-level install note.crates/shipper-cli/README.md— renamed "Back-compat binary" → "Installing the adapter directly".crates/shipper-cli/src/lib.rs—run()doc comment.docs/release-runbook.md— smoke-install note.Test plan
grep -rn "compatibility shim"returns zero hits.continue-on-error: trueon auth steps, duplicate removed).