genmeta · eareimu · Jun 21, 2026 · Jun 21, 2026 · Jun 22, 2026 · Jun 22, 2026
diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
@@ -22,22 +22,19 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - name: Install Rust stable toolchain
+      - name: Install Rust nightly toolchain
         run: |
-          rustup toolchain install stable --profile minimal --component clippy
-          rustup default stable
-
-      - name: Install Rust nightly for formatting
-        run: rustup toolchain install nightly --profile minimal --component rustfmt
+          rustup toolchain install nightly --profile minimal --component rustfmt --component clippy
+          rustup default nightly
 
       - name: Check formatting
         run: cargo +nightly fmt -- --check
 
       - name: Run clippy
-        run: cargo clippy --workspace --all-targets --all-features -- -D warnings
+        run: cargo +nightly clippy --workspace --all-targets --all-features -- -D warnings
 
       - name: Run tests
-        run: cargo test --workspace --all-targets --all-features
+        run: cargo +nightly test --workspace --all-targets --all-features
 
       - name: Plan crates.io publish packages
         id: publish_plan
@@ -87,7 +84,7 @@ jobs:
             exit 0
           fi
 
-          cargo metadata --format-version 1 > "$RUNNER_TEMP/workspace-metadata.json"
+          cargo +nightly metadata --format-version 1 > "$RUNNER_TEMP/workspace-metadata.json"
           package_versions="$(
             PACKAGES="$(printf '%s\n' "${packages[@]}")" RUNNER_TEMP="$RUNNER_TEMP" python3 - <<'PY'
           import json
@@ -160,10 +157,10 @@ jobs:
           fi
 
           if [[ "$mode" == "dry-run" ]]; then
-            publish_args=(cargo publish --dry-run --locked)
+            publish_args=(cargo +nightly publish --dry-run --locked)
             echo "dry-run publish packages: ${packages_to_publish[*]}"
           else
-            publish_args=(cargo publish --locked)
+            publish_args=(cargo +nightly publish --locked)
             echo "publish packages: ${packages_to_publish[*]}"
           fi
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,6 +19,8 @@ concurrency:
 env:
   CARGO_TERM_COLOR: always
   XTASK_RELEASE_S3_ENDPOINT_URL: ${{ vars.XTASK_RELEASE_S3_ENDPOINT_URL }}
+  DHTTP_ROOT_CA_PEM: ${{ secrets.DHTTP_ROOT_CA_PEM }}
+  DHTTP_ROOT_CA: ${{ github.workspace }}/.release/dhttp-root-ca.pem
   DHTTP_STUN_SERVER: ${{ vars.DHTTP_STUN_SERVER }}
   DHTTP_H3_DNS_SERVER: ${{ vars.DHTTP_H3_DNS_SERVER }}
   DHTTP_HTTP_DNS_SERVER: ${{ vars.DHTTP_HTTP_DNS_SERVER }}
@@ -89,10 +91,6 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 240
     env:
-      DHTTP_ROOT_CA: ${{ github.workspace }}/gmutils/keychain/root.crt
-      RELEASE_BUCKET: download
-      APT_SUITE: genmeta
-      APT_PREFIX: ppa/genmeta
       LINUX_TARGETS: x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu armv7-unknown-linux-gnueabihf i686-unknown-linux-gnu
     defaults:
       run:
@@ -105,11 +103,26 @@ jobs:
           path: gmutils
           persist-credentials: false
 
+      - name: Materialize DHTTP root CA
+        run: |
+          set -euo pipefail
+          if [ -z "${DHTTP_ROOT_CA_PEM:-}" ]; then
+            echo "missing required release configuration: DHTTP_ROOT_CA_PEM" >&2
+            exit 1
+          fi
+          mkdir -p "$(dirname "$DHTTP_ROOT_CA")"
+          python3 - <<'PY' > "$DHTTP_ROOT_CA"
+          import os
+
+          pem = os.environ["DHTTP_ROOT_CA_PEM"]
+          print(pem.replace("\\n", "\n"), end="" if pem.endswith("\n") else "\n")
+          PY
+
 
       - name: Install Rust
         run: |
-          rustup toolchain install stable --profile minimal
-          rustup default stable
+          rustup toolchain install nightly --profile minimal
+          rustup default nightly
 
       - name: Cache cargo downloads
         uses: actions/cache@v5
@@ -139,6 +152,7 @@ jobs:
           missing=0
           required=(
             XTASK_RELEASE_S3_ENDPOINT_URL
+            DHTTP_ROOT_CA
             DHTTP_STUN_SERVER
             DHTTP_H3_DNS_SERVER
             DHTTP_HTTP_DNS_SERVER
@@ -191,22 +205,19 @@ jobs:
           XTASK_RELEASE_S3_SECRET_ACCESS_KEY: ${{ secrets.XTASK_RELEASE_S3_SECRET_ACCESS_KEY }}
           XTASK_RELEASE_APT_SIGNING_KEY: ${{ secrets.XTASK_RELEASE_APT_SIGNING_KEY }}
           XTASK_RELEASE_APT_SIGNING_PASSPHRASE: ${{ secrets.XTASK_RELEASE_APT_SIGNING_PASSPHRASE }}
-          APT_SIGNING_FINGERPRINT: ${{ steps.apt_key.outputs.fingerprint }}
+          XTASK_RELEASE_APT_SIGNING_FINGERPRINT: ${{ steps.apt_key.outputs.fingerprint }}
         run: |
           set -euo pipefail
           export XTASK_RELEASE_APT_SIGNING_PASSPHRASE
           mode=dry-run
           if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
             mode=publish
           fi
-          publish_cmd=(cargo xtask publish s3)
+          publish_cmd=(env RUSTFLAGS="${RUSTFLAGS:-} --cfg xtask_s3_publish" cargo run --package xtask -- publish s3)
           if [[ "$mode" == "dry-run" ]]; then
             publish_cmd+=(--dry-run)
           fi
-          "${publish_cmd[@]}" \
-            --endpoint-url "$XTASK_RELEASE_S3_ENDPOINT_URL" \
-            --bucket "$RELEASE_BUCKET" \
-            deb --prefix "$APT_PREFIX" --suite "$APT_SUITE" --fingerprint "$APT_SIGNING_FINGERPRINT"
+          "${publish_cmd[@]}" deb
 
       - name: Upload deb packages to GitHub Release
         if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
@@ -247,9 +258,6 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 240
     env:
-      DHTTP_ROOT_CA: ${{ github.workspace }}/gmutils/keychain/root.crt
-      RELEASE_BUCKET: download
-      RPM_PREFIX: rpm/gmutils
       # Fedora 40 RPM repositories no longer provide armhfp/armv7hl metadata.
       RPM_TARGETS: x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu i686-unknown-linux-gnu
     defaults:
@@ -263,11 +271,26 @@ jobs:
           path: gmutils
           persist-credentials: false
 
+      - name: Materialize DHTTP root CA
+        run: |
+          set -euo pipefail
+          if [ -z "${DHTTP_ROOT_CA_PEM:-}" ]; then
+            echo "missing required release configuration: DHTTP_ROOT_CA_PEM" >&2
+            exit 1
+          fi
+          mkdir -p "$(dirname "$DHTTP_ROOT_CA")"
+          python3 - <<'PY' > "$DHTTP_ROOT_CA"
+          import os
+
+          pem = os.environ["DHTTP_ROOT_CA_PEM"]
+          print(pem.replace("\\n", "\n"), end="" if pem.endswith("\n") else "\n")
+          PY
+
 
       - name: Install Rust
         run: |
-          rustup toolchain install stable --profile minimal
-          rustup default stable
+          rustup toolchain install nightly --profile minimal
+          rustup default nightly
 
       - name: Cache cargo downloads
         uses: actions/cache@v5
@@ -294,6 +317,7 @@ jobs:
           missing=0
           required=(
             XTASK_RELEASE_S3_ENDPOINT_URL
+            DHTTP_ROOT_CA
             DHTTP_STUN_SERVER
             DHTTP_H3_DNS_SERVER
             DHTTP_HTTP_DNS_SERVER
@@ -334,14 +358,11 @@ jobs:
           if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
             mode=publish
           fi
-          publish_cmd=(cargo xtask publish s3)
+          publish_cmd=(env RUSTFLAGS="${RUSTFLAGS:-} --cfg xtask_s3_publish" cargo run --package xtask -- publish s3)
           if [[ "$mode" == "dry-run" ]]; then
             publish_cmd+=(--dry-run)
           fi
-          "${publish_cmd[@]}" \
-            --endpoint-url "$XTASK_RELEASE_S3_ENDPOINT_URL" \
-            --bucket "$RELEASE_BUCKET" \
-            rpm --prefix "$RPM_PREFIX"
+          "${publish_cmd[@]}" rpm
 
       - name: Upload rpm packages to GitHub Release
         if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
@@ -381,11 +402,6 @@ jobs:
     name: Linux scoop packages and S3 publish
     runs-on: ubuntu-24.04
     timeout-minutes: 240
-    env:
-      DHTTP_ROOT_CA: ${{ github.workspace }}/gmutils/keychain/root.crt
-      RELEASE_BUCKET: download
-      SCOOP_PREFIX: scoop/gmutils
-      SCOOP_PUBLIC_BASE_URL: https://download.dhttp.net/scoop/gmutils
     defaults:
       run:
         shell: bash
@@ -397,11 +413,26 @@ jobs:
           path: gmutils
           persist-credentials: false
 
+      - name: Materialize DHTTP root CA
+        run: |
+          set -euo pipefail
+          if [ -z "${DHTTP_ROOT_CA_PEM:-}" ]; then
+            echo "missing required release configuration: DHTTP_ROOT_CA_PEM" >&2
+            exit 1
+          fi
+          mkdir -p "$(dirname "$DHTTP_ROOT_CA")"
+          python3 - <<'PY' > "$DHTTP_ROOT_CA"
+          import os
+
+          pem = os.environ["DHTTP_ROOT_CA_PEM"]
+          print(pem.replace("\\n", "\n"), end="" if pem.endswith("\n") else "\n")
+          PY
+
 
       - name: Install Rust
         run: |
-          rustup toolchain install stable --profile minimal
-          rustup default stable
+          rustup toolchain install nightly --profile minimal
+          rustup default nightly
           rustup target add x86_64-pc-windows-msvc i686-pc-windows-msvc
 
       - name: Cache cargo downloads
@@ -436,6 +467,7 @@ jobs:
           missing=0
           required=(
             XTASK_RELEASE_S3_ENDPOINT_URL
+            DHTTP_ROOT_CA
             DHTTP_STUN_SERVER
             DHTTP_H3_DNS_SERVER
             DHTTP_HTTP_DNS_SERVER
@@ -469,14 +501,11 @@ jobs:
           if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
             mode=publish
           fi
-          publish_cmd=(cargo xtask publish s3)
+          publish_cmd=(env RUSTFLAGS="${RUSTFLAGS:-} --cfg xtask_s3_publish" cargo run --package xtask -- publish s3)
           if [[ "$mode" == "dry-run" ]]; then
             publish_cmd+=(--dry-run)
           fi
-          "${publish_cmd[@]}" \
-            --endpoint-url "$XTASK_RELEASE_S3_ENDPOINT_URL" \
-            --bucket "$RELEASE_BUCKET" \
-            scoop --prefix "$SCOOP_PREFIX" --public-base-url "$SCOOP_PUBLIC_BASE_URL"
+          "${publish_cmd[@]}" scoop
 
       - name: Upload scoop packages to GitHub Release
         if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
@@ -516,13 +545,6 @@ jobs:
     name: Homebrew package and S3 publish
     runs-on: macos-15
     timeout-minutes: 120
-    env:
-      DHTTP_ROOT_CA: ${{ github.workspace }}/gmutils/keychain/root.crt
-      RELEASE_BUCKET: download
-      BREW_PREFIX: brew/gmutils
-      BREW_PUBLIC_BASE_URL: https://download.dhttp.net/brew/gmutils
-      HOMEBREW_TAP_REPOSITORY: genmeta/homebrew-genmeta
-      HOMEBREW_TAP_BASE_BRANCH: main
     defaults:
       run:
         shell: bash
@@ -534,6 +556,35 @@ jobs:
           path: gmutils
           persist-credentials: false
 
+      - name: Materialize DHTTP root CA
+        run: |
+          set -euo pipefail
+          if [ -z "${DHTTP_ROOT_CA_PEM:-}" ]; then
+            echo "missing required release configuration: DHTTP_ROOT_CA_PEM" >&2
+            exit 1
+          fi
+          mkdir -p "$(dirname "$DHTTP_ROOT_CA")"
+          python3 - <<'PY' > "$DHTTP_ROOT_CA"
+          import os
+
+          pem = os.environ["DHTTP_ROOT_CA_PEM"]
+          print(pem.replace("\\n", "\n"), end="" if pem.endswith("\n") else "\n")
+          PY
+
+      - name: Read Homebrew tap destination
+        id: homebrew_destination
+        run: |
+          set -euo pipefail
+          python3 - <<'PY' >> "$GITHUB_OUTPUT"
+          import tomllib
+          from pathlib import Path
+
+          destination = tomllib.loads(Path("xtask/release.toml").read_text())
+          tap = destination["destination"]["brew"]["tap"]
+          print(f"repository={tap['repository']}")
+          print(f"base_branch={tap['base_branch']}")
+          PY
+
       - name: Validate release configuration
         env:
           XTASK_RELEASE_S3_ACCESS_KEY_ID: ${{ secrets.XTASK_RELEASE_S3_ACCESS_KEY_ID }}
@@ -544,6 +595,7 @@ jobs:
           missing=0
           required=(
             XTASK_RELEASE_S3_ENDPOINT_URL
+            DHTTP_ROOT_CA
             DHTTP_STUN_SERVER
             DHTTP_H3_DNS_SERVER
             DHTTP_HTTP_DNS_SERVER
@@ -565,15 +617,15 @@ jobs:
         if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
         uses: actions/checkout@v6
         with:
-          repository: ${{ env.HOMEBREW_TAP_REPOSITORY }}
-          ref: ${{ env.HOMEBREW_TAP_BASE_BRANCH }}
+          repository: ${{ steps.homebrew_destination.outputs.repository }}
+          ref: ${{ steps.homebrew_destination.outputs.base_branch }}
           path: homebrew-tap
           token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
 
       - name: Install Rust
         run: |
-          rustup toolchain install stable --profile minimal
-          rustup default stable
+          rustup toolchain install nightly --profile minimal
+          rustup default nightly
           rustup target add aarch64-apple-darwin x86_64-apple-darwin
 
       - name: Cache cargo downloads
@@ -603,32 +655,30 @@ jobs:
           if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
             mode=publish
           fi
-          publish_cmd=(cargo xtask publish s3)
+          publish_cmd=(env RUSTFLAGS="${RUSTFLAGS:-} --cfg xtask_s3_publish" cargo run --package xtask -- publish s3)
           if [[ "$mode" == "dry-run" ]]; then
             publish_cmd+=(--dry-run)
           fi
-          "${publish_cmd[@]}" \
-            --endpoint-url "$XTASK_RELEASE_S3_ENDPOINT_URL" \
-            --bucket "$RELEASE_BUCKET" \
-            brew --prefix "$BREW_PREFIX" --public-base-url "$BREW_PUBLIC_BASE_URL"
+          "${publish_cmd[@]}" brew
 
       - name: Create Homebrew tap pull request
         if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
         env:
           GH_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          HOMEBREW_TAP_REPOSITORY: ${{ steps.homebrew_destination.outputs.repository }}
+          HOMEBREW_TAP_BASE_BRANCH: ${{ steps.homebrew_destination.outputs.base_branch }}
           FORMULA_NAME: gmutils.rb
         run: |
           set -euo pipefail
           tap_dir="$GITHUB_WORKSPACE/homebrew-tap"
           formula_source="$PWD/target/common/brew/$FORMULA_NAME"
-          formula_dest="$tap_dir/Formula/$FORMULA_NAME"
+          formula_dest="$tap_dir/$FORMULA_NAME"
           test -f "$formula_source"
 
-          mkdir -p "$tap_dir/Formula"
           cp "$formula_source" "$formula_dest"
 
           cd "$tap_dir"
-          if git diff --quiet -- "Formula/$FORMULA_NAME"; then
+          if [[ -z "$(git status --porcelain -- "$FORMULA_NAME")" ]]; then
             echo "homebrew tap formula is unchanged"
             exit 0
           fi
@@ -637,7 +687,7 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git switch -c "$branch"
-          git add "Formula/$FORMULA_NAME"
+          git add "$FORMULA_NAME"
           git commit -m "brew: update $FORMULA_NAME"
           git push origin "$branch"
           gh pr create \