xtask: reject versioned workspace deps on publish=false crates#578
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The v0.7.0 release lane failed because `[workspace.dependencies]` had `version = "0.7.0"` declared on three internal `publish = false` crates (`uselesskey-test-support`, `uselesskey-test-grid`, `uselesskey-feature-grid`). Even though those entries were only consumed as `[dev-dependencies]`, `cargo publish` resolves the workspace version constraint against crates.io and fails with `no matching package named ...`. PR #569 stripped the offending `version` fields to fix the instance, but the class of bug — a versioned workspace.dependencies entry pointing at a non-publishable crate — could silently recur the next time someone bumps versions across the manifest. This adds `verify_no_versioned_publish_false_deps()`: it parses the workspace `Cargo.toml`, walks every `[workspace.dependencies]` inline-table entry that declares both `path` and `version`, opens the referenced crate's `Cargo.toml`, and bails if `[package].publish` is `false`. All violations are collected and reported together so the fix is a single pass. The check is wired into both `publish_check()` and `run_publish_preflight()` (as a new `preflight:publish-false-dep-guard` step) so it runs ahead of any cargo packaging work and on the cheap gate PRs already run. A unit test asserts the function returns `Ok(())` on the current workspace (post-#569). If anyone re-introduces a `version` field on a path that resolves to a `publish = false` crate, the test and the preflight gate both fail before a tag push can land.
4d2f078 to
fbb3988
Compare
|
Rebased against current main (which now has #572's topo guard merged). Both verify_* functions coexist: topo guard runs first in publish_check, publish-false dep guard runs second. |
Why patch mode
==============
v0.7.0 ran the full minor-release evidence lane, including expensive
gates like `cargo xtask mutants-nightly --scope public`, the broad
perf suite, and new product profile proofs. That investment is right
for a minor release that changes the user-facing platform.
v0.7.1 is different: it hardens release tooling and the user install
path without changing public behavior. It only needs confidence that
release-system gates and the user path still work. Running the full
minor lane on every patch wastes CI time and dulls the signal of the
minor lane itself.
What the patch lane runs
========================
`cargo xtask release-evidence --version <V> --patch [--summary]`
selects `release_evidence_steps_patch()` which runs 10 focused steps:
1. `public-surface` — re-confirm exported API
2. `check-file-policy` — non-Rust file allowlist
3. `publish-preflight` — metadata + cargo package --no-verify
4. `publish-check` — ordered publish dry-runs (includes
topology guard from #572 and
publish=false dep guard from #578)
5. `scanner-safe-reference --check` (#577) — scanner reference paths
6. `cratesio-smoke --path . --skip-install-cli` (#580) — user path
7. `docs-sync --check` — docs are in sync with code
8. `no-blob` — no secret-shaped blobs in test paths
9. `examples-smoke` — examples still compile / run
10. `impacted-evidence --base origin/main` — change-impact routing
What it deliberately omits
==========================
- `mutants-nightly --scope public` — full nightly mutation runs
against `main` on schedule; targeted mutation already runs through
`cargo xtask pr` when `impacted-evidence` flags the change.
- broad perf suite (`perf --compare`) — patch releases should not
shift baselines; if they do, escalate to the minor lane.
- new product profile proofs (scanner-safe bundle, OIDC contract
pack) — patch releases are not the venue to re-prove new profiles.
Receipt shape
=============
`ReleaseEvidenceReceipt` gains a `lane_mode` field (`"minor"` or
`"patch"`). The existing `lane: "release-evidence"` string is
preserved for backward compatibility with anything consuming the
shape; only the new field distinguishes the two lanes. The
release-evidence markdown gains a `Mode:` line; the summary opens
with a "Patch-mode evidence lane" callout when patch is set and
swaps the v0.7.0-specific gate table for the patch step list.
Tests
=====
- `release_evidence_patch_step_list_excludes_mutants_nightly`
- `release_evidence_minor_step_list_includes_mutants_nightly`
- `release_evidence_patch_step_list_includes_scanner_safe_reference`
- `release_evidence_patch_step_list_includes_cratesio_smoke`
- `release_evidence_patch_receipt_records_patch_mode`
- `release_evidence_patch_summary_announces_patch_lane`
Minor-lane callers (`release-evidence --version X [--summary]` with
no `--patch`) are unchanged in behavior and continue to run the
full 15-step lane.
Why
The v0.7.0 release lane failed because
[workspace.dependencies]in the rootCargo.tomldeclaredversion = \"0.7.0\"on three internalpublish = falsecrates —uselesskey-test-support,uselesskey-test-grid, anduselesskey-feature-grid. Even though those entries were only consumed as[dev-dependencies]in dependents,cargo publishresolves the workspace version constraint against crates.io and fails withno matching package named uselesskey-test-support found.#569 fixed the instance by stripping the
versionfield from those three entries (path-only). This PR closes the class: the same bug could silently recur the next time anyone bumps versions across the workspace manifest. There was no gate to catch it before tag push.What
verify_no_versioned_publish_false_deps()inxtask/src/main.rs:Cargo.tomlvia thetomlcrate (already a dep ofxtask).[workspace.dependencies]inline-table entry that declares bothpath = ...andversion = ...(bare-string entries and path-only entries are correctly ignored).Cargo.tomland checks whether[package].publishisfalse.workspace.dependencies entry '{name}' has version = \"{version}\" but {path} is publish = false; strip the version to make it path-only.publish_check()— runs first, so the cheap PR gate fails fast.run_publish_preflight()— added as a newpreflight:publish-false-dep-guardreceipt step ahead ofpreflight:metadata, so the release lane catches it before anycargo packagework.verify_no_versioned_publish_false_deps_passes_on_current_workspace()assertsOk(())on the current workspace (which is clean after fix: make internal test-helper deps path-only in workspace.dependencies #569). If someone re-adds a strayversionfield, both the test and the preflight gate fail.No
Cargo.tomlfiles are modified by this PR — it is xtask-only.0.7.1 plan
This is PR 2 of the v0.7.1 publish-system hardening series. PR 1 is #572 (topology guard). The two are conceptually paired but independent — either can land first; if #572 lands first, this branch may need a tiny rebase on
xtask/src/main.rssince both add a verification function nearpublish_check.Test plan
rtk cargo build -p xtaskrtk cargo test -p xtask verify_no_versioned_publish_false_deps(1 passed)rtk cargo fmt --check -p xtaskrtk cargo clippy -p xtask --all-targets -- -D warnings(no issues)rtk cargo xtask publish-preflight— new steppreflight:publish-false-dep-guardruns first and the full preflight succeedsrtk cargo xtask publish-check— succeeds