fix(release): stop masking crates.io publish failures behind exit code 101#24
Merged
Conversation
…e 101 cargo exits 101 for EVERY error, not just 'version already exists' — so the same-version tolerance matched on the exit code masked a real 403 (CARGO_REGISTRY_TOKEN lacking permission for the ratify-c crate) as 'already published — ok' at v1.0.0-alpha.13, and the publish-crates job reported success while ratify-c remained at alpha.8 on crates.io. Both publish steps now tolerate only output matching an actual already-exists message and fail loud on everything else. The token itself must also be re-scoped to cover ratify-c (operator action; crates.io dashboard), after which re-running the alpha.13 publish-crates job will publish ratify-c@1.0.0-alpha.13. Signed-off-by: chuks <891251+chuks@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
At v1.0.0-alpha.13, the
cargo publish (ratify-c)step hit a real 403 —CARGO_REGISTRY_TOKENis scoped toratify-protocolonly — but the job reported success because cargo exits 101 for every error and the same-version tolerance matched on the exit code. Silent failure, caught only by post-release registry verification.Fix: both crates publish steps now capture output and tolerate only genuine
already exists/uploadedmessages; anything else fails the job loudly.Operator action still needed (not fixable from the repo): re-scope the crates.io token to also cover
ratify-c(crates.io → Account → API Tokens; the crate is owned by the same account — alpha.8 was published with the old manual flow), update theCARGO_REGISTRY_TOKENrepo secret, then re-run the alpha.13publish-cratesjob from the Actions UI —ratify-protocolre-upload is cleanly tolerated,ratify-c@1.0.0-alpha.13publishes.Note: this PR fixes future releases (tag workflows run at the tag's ref); the alpha.13 recovery path is the job re-run above.