From e0becac1e764cda1bc71f865b9c1e1273a2e64db Mon Sep 17 00:00:00 2001 From: Denys Zadorozhnyi Date: Tue, 28 Oct 2025 11:11:27 +0200 Subject: [PATCH 1/5] chore: revamp the release process automation The new release process will be the following: Release of the Miden Compiler 1. Merging to `main` will create a new release PR containing any unreleased changes. 2. Optional. Change the proposed crate version, CHANGELOG edits. 3. The release PR gets merged to `main` when we are ready to publish the release. 4. The crates are published to crates.io, a new git tag is created, as well as a GitHub release 5. A job is run to pre-build the executable for our supported targets and upload them to the created Github release. 6. Merge the `main` branch back to the `next` branch. Release of the Miden SDK crates 1. Create a release PR naming the branch with the `release-plz-` prefix (its important to use this prefix to trigger the crate publishing on CI in one of the next steps). 2. Bump the SDK crates versions and update the CHANGELOG. 3. Merge it into the main branch. 4. The CI will automatically run `release-plz release` after the release PR is merged to publish the new versions to crates.io. 5. Set a git tag for the published crates to mark the release. 6. Make a Github release. 7. Merge the `main` branch back to the `next` branch. Implementation details: 1. Suppress git tag and github release creation for all the crates except `midenc` and `miden`(SDK). 2. In `uploading-artifacts` CI job find the release tags for `midenc` (to ignore SDK release). --- .github/workflows/release.yml | 124 ++++++++++++++++++++++++++++------ CONTRIBUTING.md | 22 +++--- Makefile.toml | 16 +++++ release-plz.toml | 28 +++++--- 4 files changed, 154 insertions(+), 36 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da1a32edf..e766c1319 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,37 +1,123 @@ -# Runs `release-plz release` only after the release PR (starts with `release-plz-`) -# is merged to the next branch. See `release_always = false` in `release-plz.toml` -# Publishes any unpublished crates when. -# Does nothing if all crates are already published (i.e. have their versions on crates.io). -# Does not create/update release PRs. -# The crate version bumping and changelog generation is done via the `release-plz update` CLI command. -# Then manually create a release PR(starts with `release-plz-`) with the proposed changes and -# when the PR is merged this action will publish the crates. -# See CONTRIBUTING.md for more details. - -name: release-plz +# Our release workflow is as follows: +# +# 1. Merging to `main` will create a new release PR containing any unreleased changes +# 2. The release PR gets merged to `main` when we are ready to publish the release +# 3. The crates are published to crates.io, a new git tag is created, as well as a GitHub release +# 4. A job is run to pre-build the executable for our supported targets and upload them to the +# release. +name: release on: push: branches: - - next + - main jobs: - release-plz: - name: release-plz + publish: + name: publish any unpublished packages runs-on: ubuntu-latest + if: ${{ github.repository_owner == '0xMiden' }} + permissions: + contents: write + outputs: + releases: ${{ steps.publish.outputs.releases }} + releases_created: ${{ steps.publish.outputs.releases_created }} steps: - - uses: actions/checkout@v5 - - name: Install Rust + - &checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + - &install-rust + name: Install Rust run: | rustup update --no-self-update rustc --version - name: Publish + id: publish uses: release-plz/action@v0.5 with: - # Only run the `release` command that publishes any unpublished crates. command: release - # `manifest_path` is omitted because it defaults to the root directory - # manifest_path: "..." + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} + + upload-artifacts: + name: upload pre-built midenc executable artifacts + runs-on: ubuntu-latest + needs: publish + if: ${{ github.repository_owner == '0xMiden' && needs.publish.outputs.releases_created == 'true' }} + permissions: + contents: write + strategy: + matrix: + target: [aarch64-apple-darwin, x86_64-unknown-linux-gnu] + steps: + - *checkout + - *install-rust + - name: Determine midenc release tag + id: midenc-release + env: + RELEASES: ${{ needs.publish.outputs.releases }} + run: | + set -eo pipefail + echo "RELEASES:" + echo "==================" + echo "${RELEASES}" | jq -rM + echo "==================" + release_tag=$(echo "${RELEASES}" | jq -r '.[] | select(.package_name == "midenc" or .package_name == "cargo-miden") | .tag' | head -n1) + if [ -z "${release_tag}" ] || [ "${release_tag}" = "null" ]; then + echo "midenc or cargo-miden crate was not released in this run. Skipping artifact upload." + echo "release_tag=" >> "${GITHUB_OUTPUT}" + exit 0 + fi + echo "release_tag=${release_tag}" >> "${GITHUB_OUTPUT}" + - name: Add target + if: ${{ steps.midenc-release.outputs.release_tag != '' }} + run: | + rustup target add ${{ matrix.target }} + - name: Install cargo-make + if: ${{ steps.midenc-release.outputs.release_tag != '' }} + run: | + if ! cargo make --version 2>/dev/null; then + cargo install cargo-make --force + fi + - name: build binaries + if: ${{ steps.midenc-release.outputs.release_tag != '' }} + run: | + set -e + ARGS="--release --target ${{ matrix.target }}" + cargo make --profile production midenc ${ARGS} + cargo make --profile production cargo-miden ${ARGS} + - name: upload + if: ${{ steps.midenc-release.outputs.release_tag != '' }} + env: + RELEASE_TAG: ${{ steps.midenc-release.outputs.release_tag }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + mv bin/midenc midenc-${{ matrix.target }} + gh release upload ${RELEASE_TAG} midenc-${{ matrix.target }} + mv bin/cargo-miden cargo-miden-${{ matrix.target }} + gh release upload ${RELEASE_TAG} cargo-miden-${{ matrix.target }} + + release: + name: prepare the next release + runs-on: ubuntu-latest + if: ${{ github.repository_owner == '0xMiden' }} + permissions: + contents: write + pull-requests: write + concurrency: + group: release-plz-${{ github.ref }} + cancel-in-progress: false + steps: + - *checkout + - *install-rust + - name: Create release PR + uses: release-plz/action@v0.5 + with: + command: release-pr env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9a88fd2f0..c55168503 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -4,17 +4,21 @@ TBD ## Release Process -### Prerequisites +### Release of the Miden Compiler -Install `release-plz` CLI tool following the instructions [here](https://release-plz.ieni.dev/docs/usage/installation) -Install `cargo-semver-checks` CLI tool [here](https://github.com/obi1kenobi/cargo-semver-checks#installation) to use as an extra check in `release-plz` and bump the major versions on semver violations. +1. Merging to `main` will create a new release PR containing any unreleased changes. +2. Optional. Change the proposed crate version, CHANGELOG edits. +3. The release PR gets merged to `main` when we are ready to publish the release. +4. The crates are published to crates.io, a new git tag is created, as well as a GitHub release +5. A job is run to pre-build the executable for our supported targets and upload them to the created Github release. +6. Merge the `main` branch back to the `next` branch. -### Release of the Miden Compiler and Miden SDK crates +### Release of the Miden SDK crates -The release process for the Miden Compiler and Miden SDK is managed using the `release-plz` tool. The following steps outline the process for creating a new release: - -1. Run `release-plz update` in the repo root folder to update the crates versions and generate changelogs. -2. Create a release PR naming the branch with the `release-plz-` prefix (its important to use this prefix to trigger the crate publishing on CI in step 4). -3. Review the changes in the release PR, commit edits if needed and merge it into the main branch. +1. Create a release PR naming the branch with the `release-plz-` prefix (its important to use this prefix to trigger the crate publishing on CI in one of the next steps). +2. Bump the SDK crates versions and update the CHANGELOG. +3. Merge it into the main branch. 4. The CI will automatically run `release-plz release` after the release PR is merged to publish the new versions to crates.io. 5. Set a git tag for the published crates to mark the release. +6. Make a Github release. +7. Merge the `main` branch back to the `next` branch. diff --git a/Makefile.toml b/Makefile.toml index 72b4943ba..5eaed34ca 100644 --- a/Makefile.toml +++ b/Makefile.toml @@ -182,6 +182,22 @@ args = [ "midenc", "--artifact-dir", "${MIDENC_BIN_DIR}", + "@@split(CARGO_MAKE_TASK_ARGS, )", +] + +[tasks.cargo-miden] +category = "Build" +description = "Builds cargo-miden and installs it to the bin folder" +command = "cargo" +args = [ + "-Z", + "unstable-options", + "build", + "-p", + "cargo-miden", + "--artifact-dir", + "${MIDENC_BIN_DIR}", + "@@split(CARGO_MAKE_TASK_ARGS, )", ] [tasks.build] diff --git a/release-plz.toml b/release-plz.toml index e97025318..7c31fb4a9 100644 --- a/release-plz.toml +++ b/release-plz.toml @@ -1,10 +1,22 @@ [workspace] -# Only publish when the release PR is merged (starts with `release-plz-`) -# https://release-plz.ieni.dev/docs/config#the-release_always-field +pr_branch_prefix = "release-plz-" +# Only publish when the release PR is merged +# https://release-plz.dev/docs/config#the-release_always-field release_always = false -# Do not create a github release -# https://release-plz.ieni.dev/docs/config#the-git_release_enable-field -git_release_enable = false -# Does not create a git tag -# https://release-plz.ieni.dev/docs/config#the-git_tag_enable-field -git_tag_enable = false \ No newline at end of file +# Skip GitHub releases and git tags by default, individual crates can opt in +git_release_enable = false +git_tag_enable = false + +[[package]] +name = "midenc" +git_release_enable = true +git_tag_enable = true +git_tag_name = "{{ version }}" +git_release_name = "{{ version }}" + +# SDK +[[package]] +name = "miden" +git_release_enable = false +git_tag_enable = true +git_tag_name = "SDK-v{{ version }}" From bd26145c98bf80cbbd115186ecb08fe0cb6f4d7d Mon Sep 17 00:00:00 2001 From: Denys Zadorozhnyi Date: Tue, 4 Nov 2025 10:47:07 +0200 Subject: [PATCH 2/5] fix: put the old release process to be used for Miden SDK at `release_old.yml` --- .github/workflows/release_old.yml | 34 +++++++++++++++++++++++++++++++ CONTRIBUTING.md | 9 +++----- 2 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/release_old.yml diff --git a/.github/workflows/release_old.yml b/.github/workflows/release_old.yml new file mode 100644 index 000000000..7e0b0daf0 --- /dev/null +++ b/.github/workflows/release_old.yml @@ -0,0 +1,34 @@ +# The old release process left for releasing the Miden SDK until it moves to a separate repo. +# +# Runs `release-plz release` only after the release PR (starts with `release-plz-`) +# is merged to the next branch. Publishes any unpublished crates. +# Does nothing if all crates are already published (i.e. have their versions on crates.io). +# Does not create/update release PRs. +# +# See CONTRIBUTING.md for more details. + +name: release-miden-sdk + +on: + push: + branches: + - next + +jobs: + publish: + name: publish any unpublished packages + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - name: Install Rust + run: | + rustup update --no-self-update + rustc --version + - name: Publish + uses: release-plz/action@v0.5 + with: + # Only run the `release` command that publishes any unpublished crates. + command: release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c55168503..dfea75e1a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,10 +15,7 @@ TBD ### Release of the Miden SDK crates -1. Create a release PR naming the branch with the `release-plz-` prefix (its important to use this prefix to trigger the crate publishing on CI in one of the next steps). -2. Bump the SDK crates versions and update the CHANGELOG. -3. Merge it into the main branch. +1. Create a release PR against the `next` branch naming the branch with the `release-plz-` prefix (its important to use this prefix to trigger the crate publishing on CI in the later step). +2. Manually bump ALL the SDK crate versions and update the `sdk/sdk/CHANGELOG.md` +3. Review the changes in the release PR, and merge it into the `next` branch. 4. The CI will automatically run `release-plz release` after the release PR is merged to publish the new versions to crates.io. -5. Set a git tag for the published crates to mark the release. -6. Make a Github release. -7. Merge the `main` branch back to the `next` branch. From 9f5789621b116ed5188d79198a3825f1dce5ae50 Mon Sep 17 00:00:00 2001 From: Denys Zadorozhnyi Date: Tue, 4 Nov 2025 10:51:32 +0200 Subject: [PATCH 3/5] fix: use `MIDEN_RELEASE_TOKEN` token for the new release CI workflow --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e766c1319..95f13b21c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: with: command: release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.MIDEN_RELEASE_TOKEN }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} upload-artifacts: @@ -93,7 +93,7 @@ jobs: if: ${{ steps.midenc-release.outputs.release_tag != '' }} env: RELEASE_TAG: ${{ steps.midenc-release.outputs.release_tag }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.MIDEN_RELEASE_TOKEN }} run: | set -e mv bin/midenc midenc-${{ matrix.target }} @@ -119,5 +119,5 @@ jobs: with: command: release-pr env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.MIDEN_RELEASE_TOKEN }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} From 9f5e086e1cc431b222f0258e70a33b5d953e9596 Mon Sep 17 00:00:00 2001 From: Denys Zadorozhnyi Date: Tue, 4 Nov 2025 10:54:57 +0200 Subject: [PATCH 4/5] fix: remove setting git tag for an SDK release --- release-plz.toml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/release-plz.toml b/release-plz.toml index 7c31fb4a9..335132758 100644 --- a/release-plz.toml +++ b/release-plz.toml @@ -14,9 +14,3 @@ git_tag_enable = true git_tag_name = "{{ version }}" git_release_name = "{{ version }}" -# SDK -[[package]] -name = "miden" -git_release_enable = false -git_tag_enable = true -git_tag_name = "SDK-v{{ version }}" From acc94c3626bb72c1a16698e4db1e488fe82a061c Mon Sep 17 00:00:00 2001 From: Denys Zadorozhnyi Date: Tue, 4 Nov 2025 10:57:23 +0200 Subject: [PATCH 5/5] fix: set read-only permission for the `publish` CI jobs --- .github/workflows/release.yml | 4 ++-- .github/workflows/release_old.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 95f13b21c..900bd00a6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == '0xMiden' }} permissions: - contents: write + contents: read outputs: releases: ${{ steps.publish.outputs.releases }} releases_created: ${{ steps.publish.outputs.releases_created }} @@ -39,7 +39,7 @@ jobs: with: command: release env: - GITHUB_TOKEN: ${{ secrets.MIDEN_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} upload-artifacts: diff --git a/.github/workflows/release_old.yml b/.github/workflows/release_old.yml index 7e0b0daf0..36fc3852d 100644 --- a/.github/workflows/release_old.yml +++ b/.github/workflows/release_old.yml @@ -18,6 +18,8 @@ jobs: publish: name: publish any unpublished packages runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v5 - name: Install Rust