release: Add job to publish to crates.io (#43972)

When triggering the release action on a non-protected branch in this
repo, the job is rejected (as intended):
<img width="1484" height="304" alt="image"
src="https://github.com/user-attachments/assets/236d3a41-2765-4652-8709-93110e03c77b"
/>

When triggering the action on a protected branch in this repository, the
publish-crates-io job will be pending, until explicitly approved by one
of the required approvers (thanks to the `environment` settings).
This allows us to publish all of our packages in one go.


Testing: Tested by manually
[triggering](https://github.com/servo/servo/actions/runs/24119955943/job/70371705395)
a release for `0.1.0-rc2`, which got successfully published to
crates.io. This was also a resume-after-cancellation test, since the
first ~30 crates of the release had already been published via `cargo
publish --workspace`, before running into the issue that `cargo publish
--workspace` can't resume after intermediate failures. The last commit
"Fix buffering issue in CI" is untested, and was added after observing
the stdout log messages only appearing at the end of the script. That
commit is trivial though, and probably does not justify using crates.io
resources for another test release.

---------

Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
Signed-off-by: Jonathan Schwender <55576758+jschwe@users.noreply.github.com>
Co-authored-by: Mukilan Thiyagarajan <mukilanthiagarajan@gmail.com>
This commit is contained in:
Jonathan Schwender
2026-04-10 18:54:53 +02:00
committed by GitHub
parent fbb37acf15
commit c3d2df22c0
2 changed files with 259 additions and 0 deletions

View File

@@ -13,6 +13,10 @@ on:
description: '`true` to create a release on this repo, false to release to the nightly-releases repo'
type: boolean
default: false
crates_io:
description: '`true` to publish to crates.io'
type: boolean
default: false
release_tag:
required: true
type: string
@@ -103,6 +107,31 @@ jobs:
- upload-android-nightly
- upload-ohos-nightly
publish-crates-io:
name: 'Publish to crates.io'
if: github.repository == 'servo/servo' && (inputs.crates_io || false)
environment:
name: publish_crates_io
deployment: false
runs-on: ubuntu-22.04
permissions:
id-token: write
steps:
- uses: actions/checkout@v6
- uses: rust-lang/crates-io-auth-action@v1
id: auth
- name: Publish to crates.io
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
SERVO_CRATES_IO_SLEEP_AFTER_PUBLISH_SECONDS: "30"
SERVO_CRATES_IO_VERIFY_PUBLISHED_TIMEOUT_SECONDS: "300"
SERVO_CRATES_IO_VERIFY_PUBLISHED_INTERVAL_SECONDS: "10"
# Verification requires building, which is incredibly slow and also increases our attack surface.
# If we decide for an extra verification, we should add a seperate job before this one, which
# does a `dry-run` publish without any elevated permissions.
run: |
python3 etc/ci/publish_crates_io.py --no-verify
build-win:
# This job is only useful when run on upstream servo.
if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch'