diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fa794f..87ebf5b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -118,10 +118,11 @@ jobs: - name: Publish smooai-fetch to crates.io if: steps.changesets.outputs.published == 'true' - # --allow-dirty is needed because sync-versions.mjs modifies - # Cargo.toml (and rebuild updates Cargo.lock) between the - # committed state and publish. --locked would reject that mismatch. - run: cargo publish --allow-dirty --manifest-path rust/fetch/Cargo.toml + # --locked: sync-versions.mjs now stamps Cargo.lock in lockstep with + # Cargo.toml, so the lock matches and the publish build is reproducible. + # --allow-dirty: sync-versions.mjs modifies the manifests in-place at + # publish time (uncommitted), which --allow-dirty permits. + run: cargo publish --locked --allow-dirty --manifest-path rust/fetch/Cargo.toml env: CARGO_REGISTRY_TOKEN: ${{ secrets.SMOOAI_CARGO_REGISTRY_TOKEN }} diff --git a/scripts/sync-versions.mjs b/scripts/sync-versions.mjs index aba8f44..165410e 100755 --- a/scripts/sync-versions.mjs +++ b/scripts/sync-versions.mjs @@ -27,6 +27,16 @@ const files = [ pattern: /^version = ".*"$/m, replacement: `version = "${version}"`, }, + { + // Keep rust/fetch/Cargo.lock's own crate entry in lockstep with the Cargo.toml + // bump above — name-targeted so a same-versioned DEPENDENCY is never touched. + // Without this the lock pins the old version and `cargo build/publish --locked` + // rejects the mismatch (which is why the release used `--allow-dirty`); stamping + // it lets the publish run `--locked` reproducibly. + path: join(rootDir, 'rust', 'fetch', 'Cargo.lock'), + pattern: /(name = "smooai-fetch"\nversion = )"[^"]*"/, + replacement: `$1"${version}"`, + }, { path: join(rootDir, 'go', 'fetch', 'version.go'), pattern: /const Version = ".*"/,