This document describes how deslicer-cli versions move from a git tag to installable artifacts on GitHub Releases, Homebrew, and crates.io.
git tag vX.Y.Z
│
▼
release.yml ──► build 5 targets + SHA256 sidecars
│ cosign keyless signatures (Sigstore OIDC)
│ SLSA provenance attestation
│ GitHub Release (archives + sigs + certs)
│ floating tag v1 ──► latest v1.x compatible release
│
├──► homebrew.yml (on: release published)
│ └── PR to deslicer/homebrew-tap
│
└──► crates-publish.yml (on: release published)
└── cargo publish -p deslicer-cli (OIDC Trusted Publishing)
- Cargo.toml version matches the tag (tag
v1.2.3→version = "1.2.3"). - crates.io Trusted Publishing configured for
github.com/deslicer/cli/crates-publish.yml. HOMEBREW_TAP_TOKENsecret on the repo — PAT or GitHub App token with write access todeslicer/homebrew-tap.- Changelog / release notes prepared (GitHub auto-generates notes; edit after publish if needed).
# Ensure main is clean and version bumped in Cargo.toml
git checkout main
git pull
git tag v1.0.0
git push origin v1.0.0Tag pattern v*.*.* triggers .github/workflows/release.yml.
| Target | OS runner | Archive |
|---|---|---|
x86_64-unknown-linux-musl |
ubuntu-latest | deslicer-x86_64-unknown-linux-musl.tar.gz |
aarch64-unknown-linux-musl |
ubuntu-latest | deslicer-aarch64-unknown-linux-musl.tar.gz |
x86_64-apple-darwin |
macos-latest | deslicer-x86_64-apple-darwin.tar.gz |
aarch64-apple-darwin |
macos-latest | deslicer-aarch64-apple-darwin.tar.gz |
x86_64-pc-windows-msvc |
windows-latest | deslicer-x86_64-pc-windows-msvc.zip |
Each archive has a .sha256 sidecar file.
The publish job (only job with id-token: write):
- Installs cosign and signs each archive with keyless Sigstore (
cosign sign-blob --yes). No secret beyondGITHUB_TOKENfor the Release itself. - Creates/updates the GitHub Release attached to the tag.
- Moves the floating
v1tag to the release commit (git push origin refs/tags/v1 --force).
The provenance job invokes SLSA Level 3 generator (slsa-framework/slsa-github-generator). Pin the reusable workflow SHA before production use (see workflow TODO comment).
- Downloads darwin + linux release tarballs.
- Computes SHA256 checksums.
- Opens a PR against deslicer/homebrew-tap updating
Formula/deslicer.rb.
Manual dispatch is also available:
gh workflow run homebrew.yml -f version=v1.0.0- Verifies
Cargo.tomlversion matches the release tag. - Runs
cargo publish -p deslicer-cli --lockedusing Trusted Publishing (GitHub OIDC → crates.io). NoCARGO_REGISTRY_TOKENsecret.
The v1 tag always points at the latest v1.*.* release commit. It is force-moved on every stable v1.x publish so consumers can pin:
curl -fsSL .../releases/download/v1/deslicer-x86_64-unknown-linux-musl.tar.gzSemver-breaking v2.0.0 will introduce a separate floating v2 tag policy when that major ships.
After a release:
- GitHub Release contains all five archives,
.sha256files, and cosign.sig/.certpairs -
cosign verify-blobsucceeds against Sigstore for at least one artifact - Homebrew tap PR merged (or dispatched manually)
-
deslicer-cliversion visible on https://crates.io/crates/deslicer-cli -
v1tag points to the new commit
- GitHub Release — mark pre-release or delete the release (does not remove the git tag).
- Homebrew — revert the tap PR or pin the previous formula version.
- crates.io — yank the broken crate version (
cargo yank -p deslicer-cli --version X.Y.Z); publish a patch release. v1tag — manually reset to the last good commit if needed.
Every push/PR to main runs .github/workflows/ci.yml (fmt, clippy, tests). Dependency policy scanning (cargo deny, cargo audit) runs non-blocking until deny.toml lands.