ci: gate the release workflow on the lint and test matrix#16
Merged
Conversation
release.yml now runs tests.yml (lint + 3.11/3.12/3.13 matrix) as a 'verify' job and only builds, tags, and publishes if it passes, so a release can no longer be cut from a red main. tests.yml gains a workflow_call trigger so it is the single source of truth for both push/PR and release checks. The contents: write permission is scoped to the release job (verify stays read-only).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make the release workflow run the full lint + test matrix before it builds and publishes.
tests.ymlgains aworkflow_calltrigger (additive; push/PR triggers unchanged).release.ymladds averifyjob that reusestests.yml(uses: ./.github/workflows/tests.yml); thereleasejob nowneeds: verify.contents: writeis scoped to thereleasejob;verifyruns read-only.Why
Previously
release.ymlran onlycheck-versions+ build, so aworkflow_dispatchrelease could publish from a redmain. Reusingtests.ymlkeeps one source of truth for the checks (no duplicated steps) and guarantees the exact released ref passes lint + the 3.11/3.12/3.13 matrix first.Validation
Workflow YAML parses; job wiring verified (
verifyreusable,release needs verify). This PR runstests.ymlvia thepull_requesttrigger. The release gate itself is first exercised on the next real release dispatch.Note:
release.ymlnow diverges from the hand-synced CrateDigger copy referenced in its header comment.🤖 Generated with Claude Code