Skip to content

[codex] refactor CI release workflows#133

Merged
ZR233 merged 1 commit into
mainfrom
codex/refactor-ci-release-workflows
Jun 15, 2026
Merged

[codex] refactor CI release workflows#133
ZR233 merged 1 commit into
mainfrom
codex/refactor-ci-release-workflows

Conversation

@ZR233

@ZR233 ZR233 commented Jun 15, 2026

Copy link
Copy Markdown
Member

Summary

  • refactor release workflow to keep only release-plz release and release-pr jobs
  • remove GitHub Release asset packaging/upload triggers and job
  • add workspace cargo publish --workspace --dry-run --locked to Quality Check

Notes

  • release publishing remains gated on successful Quality Check workflow runs on main
  • release-plz jobs now use the official template-style split permissions and release-plz/action@v0.5
  • no Pages deploy permissions or deploy actions remain in .github/workflows

Validation

  • git diff --check
  • YAML parse via Python yaml.safe_load
  • rg search for Pages/release-assets residue
  • cargo fmt --all -- --check
  • cargo clippy --target x86_64-unknown-linux-gnu --all-features with temporary pnpm 10.33.0 wrapper
  • cargo build --target x86_64-unknown-linux-gnu --all-features with temporary pnpm 10.33.0 wrapper
  • cargo publish --workspace --dry-run --locked with temporary pnpm 10.33.0 wrapper

Local test caveat

  • cargo test --target x86_64-unknown-linux-gnu -- --nocapture was blocked locally because mkimage / u-boot-tools is missing; CI installs u-boot-tools.

@ZR233 ZR233 marked this pull request as ready for review June 15, 2026 12:24
@ZR233 ZR233 merged commit b77953d into main Jun 15, 2026
2 checks passed
@ZR233 ZR233 deleted the codex/refactor-ci-release-workflows branch June 15, 2026 12:25
mai-team-app[bot]
mai-team-app Bot approved these changes Jun 15, 2026
View reviewed changes

@mai-team-app mai-team-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #133 审查意见:重构 CI 发布工作流

总体评价

这是一个干净的 CI 工作流重构,质量良好。所有变更逻辑清晰,结构合理。

✅ 亮点

  1. 权限最小化:顶层 permissionscontents: write; pull-requests: write 改为 permissions: {},并在每个 job 中按需分配具体权限。release-plz-release 仅获取 contents: write + pull-requests: readrelease-plz-pr 获取 contents: write + pull-requests: write。这是 GitHub Actions 安全最佳实践。

  2. 移除废弃的 release-assets job:删除了完整的二进制打包/上传流程(约 70 行 YAML),包括 release 事件触发和 workflow_dispatch 手动触发。无残留引用。

  3. 新增发布验证:在 Quality Check 中添加 cargo publish --workspace --dry-run --locked,可以在 CI 中提前发现发布配置问题。

  4. YAML anchor 使用正确:所有 anchor(&checkout&install-rust&release_env 等)在第一个 job 中定义,在第二个 job 中正确复用。

  5. 简化触发条件:移除了冗余的 github.event_name == 'workflow_run' 检查(因为 on: 触发器只有 workflow_run)。

📝 轻微观察(非阻塞)

  1. 版本锁定放宽release-plz/action@v0.5.128@v0.5actions/checkout@v6.0.2@v6。从精确版本改为 semver 范围,会自动获取补丁更新。对 CI 来说可接受,但如果项目对供应链安全有严格要求,可考虑保持精确版本。

  2. cargo publish --dry-run 未指定 --target:其他步骤均使用 --target ${{ matrix.targets }},但 cargo publish 是注册表操作,通常不需要 --target。当前 matrix 仅有 x86_64-unknown-linux-gnu(即宿主平台),无问题。

验证结果

  • git diff --check:通过 ✅
  • 无残留 Pages/deploy/release-assets 引用:通过 ✅
  • 工作区所有 crate 无 publish = false,dry-run 覆盖完整:通过 ✅
  • YAML 结构有效(无 tab 缩进):通过 ✅

结论

APPROVE — 变更清晰、安全、符合最佳实践,可以合并。

Powered by mimo-v2.5-pro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mai-team-app mai-team-app[bot] mai-team-app[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZR233