release: Add job to publish to crates.io (#43972)

When triggering the release action on a non-protected branch in this repo, the job is rejected (as intended): <img width="1484" height="304" alt="image" src="https://github.com/user-attachments/assets/236d3a41-2765-4652-8709-93110e03c77b" /> When triggering the action on a protected branch in this repository, the publish-crates-io job will be pending, until explicitly approved by one of the required approvers (thanks to the `environment` settings). This allows us to publish all of our packages in one go. Testing: Tested by manually [triggering](https://github.com/servo/servo/actions/runs/24119955943/job/70371705395) a release for `0.1.0-rc2`, which got successfully published to crates.io. This was also a resume-after-cancellation test, since the first ~30 crates of the release had already been published via `cargo publish --workspace`, before running into the issue that `cargo publish --workspace` can't resume after intermediate failures. The last commit "Fix buffering issue in CI" is untested, and was added after observing the stdout log messages only appearing at the end of the script. That commit is trivial though, and probably does not justify using crates.io resources for another test release. --------- Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com> Signed-off-by: Jonathan Schwender <55576758+jschwe@users.noreply.github.com> Co-authored-by: Mukilan Thiyagarajan <mukilanthiagarajan@gmail.com>
2026-04-25 17:15:48 +02:00 · 2026-04-10 18:54:53 +02:00
parent fbb37acf15
commit c3d2df22c0
2 changed files with 259 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,10 @@ on:
        description: '`true` to create a release on this repo, false to release to the nightly-releases repo'
        type: boolean
        default: false
+      crates_io:
+        description: '`true` to publish to crates.io'
+        type: boolean
+        default: false
      release_tag:
        required: true
        type: string
@@ -103,6 +107,31 @@ jobs:
      - upload-android-nightly
      - upload-ohos-nightly

+  publish-crates-io:
+    name: 'Publish to crates.io'
+    if: github.repository == 'servo/servo' && (inputs.crates_io || false)
+    environment:
+      name: publish_crates_io
+      deployment: false
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+      - name: Publish to crates.io
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+          SERVO_CRATES_IO_SLEEP_AFTER_PUBLISH_SECONDS: "30"
+          SERVO_CRATES_IO_VERIFY_PUBLISHED_TIMEOUT_SECONDS: "300"
+          SERVO_CRATES_IO_VERIFY_PUBLISHED_INTERVAL_SECONDS: "10"
+        # Verification requires building, which is incredibly slow and also increases our attack surface.
+        # If we decide for an extra verification, we should add a seperate job before this one, which
+        # does a `dry-run` publish without any elevated permissions.
+        run: |
+          python3 etc/ci/publish_crates_io.py --no-verify
+
  build-win:
    # This job is only useful when run on upstream servo.
    if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch'