Skip to content

ci: automate version bumps via cargo-release + auto-render Homebrew formula#162

Merged
bryantbiggs merged 4 commits into
mainfrom
chore/cargo-release-homebrew
May 25, 2026
Merged

ci: automate version bumps via cargo-release + auto-render Homebrew formula#162
bryantbiggs merged 4 commits into
mainfrom
chore/cargo-release-homebrew

Conversation

@bryantbiggs

@bryantbiggs bryantbiggs commented May 25, 2026

Copy link
Copy Markdown
Member

Summary

Automates two manual release steps:

  1. Version bumpingcargo release minor --execute (run locally) handles the version bump in eksup/Cargo.toml, regenerates completions/* and man/eksup.1, updates the README's example output, commits, tags, and pushes. Per project convention (no version bumps in feature PRs), this is the dedicated ceremony.
  2. Homebrew tap update — a new homebrew job in release.yaml renders Formula/eksup.rb from a heredoc using the checksums of the released artifacts and pushes to clowdhaus/homebrew-taps. Replaces the manual edit-after-each-release workflow.

Alongside the two automation wins, restructures release.yaml to mirror ocync's proven pattern:

  • Native build runners instead of cross for everything (ubuntu-24.04-arm for Linux ARM, macos-13 for Intel macOS, macos-latest for Apple Silicon, windows-latest for Windows). Faster, simpler debugging.
  • Single GitHub release per tag (via softprops/action-gh-release) instead of 5 independent uploads via svenstaro/upload-release-action --overwrite.
  • validate job confirms the git tag matches eksup/Cargo.toml's version before consuming build minutes.
  • sha256sums.txt generated and attached to every release.
  • Build provenance attestation (actions/attest-build-provenance) over all artifacts — supply-chain hygiene.
  • Toolchain change: stable instead of nightly for release builds, matching what cargo install eksup users get.
  • Homebrew formula improvements: bare version "X.Y.Z" (was "vX.Y.Z"), completions + man page installed via standard Homebrew helpers (was: missing entirely).
  • Least-privilege workflow permissions: top-level contents: read; elevated contents/id-token/attestations: write scoped to the release job only.

Required maintainer action before first release

Add a HOMEBREW_TAP_TOKEN repository secret to clowdhaus/eksup. A fine-grained PAT scoped to clowdhaus/homebrew-taps with Contents: Read and Write is the safest shape. If a token already exists for the ocync release flow with the same tap repo scope, reuse it.

Local ceremony (new normal)

```bash

One-time install:

cargo install cargo-release

Dry-run first:

cargo release minor

Execute when it looks right:

cargo release minor --execute
```

The tag push triggers the new workflow. xtask is excluded from the workspace bump (`release = false` in xtask/Cargo.toml) so only eksup gets versioned.

Test plan

  • `cargo +nightly fmt --all --check` passes
  • `cargo clippy --all-targets --all-features -- -D warnings` passes
  • `cargo test --all` passes (241 tests; no source changes)
  • `cargo xtask generate-all --check` passes
  • `cargo release patch` (dry-run) parses the new `[package.metadata.release]` block, previews the bump cleanly, only bumps `eksup` (xtask excluded)
  • CI green on this PR (the new `release.yaml` doesn't run on PR events — only on tag push — so what CI verifies is fmt/clippy/test/verify-generated via the existing `check.yaml`)
  • After merge: maintainer adds `HOMEBREW_TAP_TOKEN` secret, then runs `cargo release patch --execute` for a small smoke-test release (e.g., `v0.13.1`)

🤖 Generated with Claude Code

bryantbiggs and others added 4 commits May 25, 2026 11:24
@bryantbiggs
chore(release): add cargo-release config for local version-bump ceremony
ad290f9
@bryantbiggs
ci(release): native runners, single GH release, Homebrew tap automation
df10742
@bryantbiggs @claude
chore(release): exclude xtask from cargo-release workspace bump
8875d6d 
`cargo release` defaults to bumping all workspace members. xtask is
internal build infrastructure (publish = false), not a shipped artifact
— its version doesn't track eksup's. `[package.metadata.release]` with
`release = false` excludes it from the workspace bump.

Without this, `cargo release minor --execute` would push tags for both
eksup AND xtask (v0.1.0 → v0.1.1), cluttering the release timeline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bryantbiggs @claude
ci(release): collapse unix builds + narrow workflow permissions
1643821 
Two cleanups from code review:

- Merge build-linux + build-macos into a single build-unix job with a
  4-entry matrix (2 linux targets + 2 macos targets). The two jobs were
  95% identical — same checkout, toolchain, cache, build, archive, upload
  steps. Only the runner OS differed. Windows stays separate because its
  archive logic uses 7z/.zip vs unix tar.gz.

- Narrow top-level workflow permissions from `contents/id-token/
  attestations: write` to just `contents: read`. The elevated perms
  needed for creating the GH release + provenance attestation now live
  on the `release` job only. Build jobs run with read-only token; the
  homebrew job pushes cross-repo via its own HOMEBREW_TAP_TOKEN so
  doesn't need workflow write either. Tighter blast radius.

Net: 258 → 228 lines, single source of truth for unix archive logic,
least-privilege for build jobs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bryantbiggs bryantbiggs merged commit 888e84f into main May 25, 2026
7 checks passed
@bryantbiggs bryantbiggs deleted the chore/cargo-release-homebrew branch May 25, 2026 17:09
@bryantbiggs bryantbiggs mentioned this pull request May 26, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bryantbiggs