Skip to content

chore: crates.io badges, README accuracy, release-plz migration#20

Merged
polaz merged 6 commits into
mainfrom
chore/#19-readme-release-plz
Jun 19, 2026
Merged

chore: crates.io badges, README accuracy, release-plz migration#20
polaz merged 6 commits into
mainfrom
chore/#19-readme-release-plz

Conversation

@polaz

@polaz polaz commented Jun 19, 2026

Copy link
Copy Markdown
Member

Summary

Repo maintenance, no product code. Two concerns, separate commits.

docs(readme)

  • Adds crates.io ecosystem badges (version, docs.rs, CI, downloads, license).
  • Corrects stale content against the actual code:
    • Config schema: upstream.default (not .address), descriptors list (not descriptor), listen.http, cors.origins, real shield fields.
    • Library Usage now uses the real API ProxyServer::from_config().serve() / .router(); the documented build_proxy never existed.
    • Drops the "gRPC reflection" descriptor option (the loader warns and ignores it) and the not-yet-implemented query-param claim.
  • Nothing dropped from the spec: features that are config-only today (Shield, auth, OIDC discovery) move to a clearly-labelled Roadmap section, and their config blocks stay in the example tagged [roadmap].

ci: semantic-release → release-plz

  • ci.yml trimmed to the quality-checks job (fmt, clippy, build, test, publish dry-run).
  • New release-plz.yml: release-pr job (opens/updates a release PR with version bump + CHANGELOG) and release job (tag + GitHub release + crates.io publish on merge). Reuses the existing GitHub App token and crates.io OIDC trusted publishing.
  • release-plz.toml pins the tag scheme to v{version} so tag history stays continuous.
  • Removes .releaserc.json.

Release-flow note (sequencing with #18)

This swaps the release mechanism. After merge, releases happen via a release PR instead of auto-on-merge. If #18 (the axum fix) merges before this, semantic-release still cuts 1.0.3 as planned. If this merges first, release-plz will open a release PR for the pending fix instead. Either order is fine; just flagging the behavior change.

Verification

  • README has no em-dashes; both workflow files validate as YAML.
  • No Rust code touched.

Closes #19

polaz added 2 commits June 19, 2026 12:34
- Add version, docs.rs, CI, downloads, and license badges.
- Fix config examples to match the actual schema: upstream.default
  (not .address), descriptors list (not descriptor), listen.http,
  cors.origins, real shield fields.
- Fix Library Usage to the real API (ProxyServer::from_config().serve()
  / .router()); the previous build_proxy function does not exist.
- Drop the "gRPC reflection" descriptor option from docs (the loader
  warns and ignores it) and the unimplemented query-param claim.
- Split Features into what is actually wired vs a Roadmap section, and
  tag the shield/auth/oidc_discovery config blocks as roadmap (parsed
  but not yet enforced) so nothing is dropped from the spec.

Part of #19
- Trim ci.yml to the quality-checks job (fmt, clippy, build, test,
  publish dry-run) that runs on PRs and pushes.
- Add release-plz.yml: a release-pr job that opens/updates a release PR
  (version bump + CHANGELOG from conventional commits) and a release job
  that tags, creates the GitHub release, and publishes to crates.io on
  merge. Reuses the existing GitHub App token and crates.io OIDC
  trusted publishing.
- Add release-plz.toml pinning the tag scheme to v{version} to keep tag
  history continuous with the previous tags.
- Remove .releaserc.json (semantic-release config).

Part of #19
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: aef24dbf-20cd-4344-ab86-97cf755f0f86

📥 Commits

Reviewing files that changed from the base of the PR and between 10cac1f and 4395380.

📒 Files selected for processing (1)
  • .github/zizmor.yml

📝 Walkthrough

Summary by CodeRabbit

Release Notes

  • Documentation

    • Refreshed README “Features” and “Roadmap,” including updated routing, OpenAPI, health/metrics, CORS/maintenance behavior, and clearer roadmap-only items.
    • Reworked my-service.yaml with new structure for listeners/upstreams, descriptors, maintenance/CORS, Shield rate classes, and roadmap auth/OIDC discovery.
    • Updated Rust library examples to the newer ProxyServer::from_config(...).serve() and .router() usage.
  • Chores

    • Streamlined CI quality checks, improved GitHub Action pinning behavior, and removed the publish dry-run.
    • Added Release-plz automation, adjusted version tag naming, and removed semantic-release configuration.
    • Introduced additional action-pinning enforcement rules.

Walkthrough

Replaces the semantic-release pipeline with release-plz by adding a new GitHub Actions workflow for release PR creation and crates.io OIDC trusted publishing, pins action versions and removes the cargo publish --dry-run step from CI, adds release-plz.toml tag config, establishes action pinning enforcement rules via zizmor and greptile, and rewrites the README to distinguish working features from config-only roadmap items while correcting the YAML schema and library usage examples.

Changes

Release pipeline migration

Layer / File(s) Summary
CI workflow simplification and action pinning
.github/workflows/ci.yml
Renames the workflow from "CI/CD Pipeline" to "CI", pins Swatinem/rust-cache to a commit SHA with an accompanying comment, removes the preceding "Job 1: Quality checks" comment, and deletes the cargo publish --dry-run step from the quality-checks job.
Release-plz workflow and configuration
release-plz.toml, .github/workflows/release-plz.yml
Adds a structured-proxy package entry with v{{ version }} tag naming, and introduces a two-job GitHub Actions workflow: release-pr (opens/updates a version bump PR with CHANGELOG) and release (publishes to crates.io via OIDC trusted publishing using rust-lang/crates-io-auth-action). Both jobs authenticate via GitHub App tokens and are gated to the structured-world owner.
Action pinning enforcement and audit
.github/zizmor.yml, .greptile/config.json
Establishes action pinning policy via Zizmor (ref-pin for trusted publishers, hash-pin for others) and Greptile audit rule (disallows suggesting SHA pinning for trusted publishers in workflow files).

README accuracy and roadmap clarification

Layer / File(s) Summary
Features, roadmap, and config YAML example
README.md
Replaces the Features list with currently working capabilities (REST routing, OpenAPI, streaming, header forwarding, maintenance mode, Prometheus, CORS), moves unimplemented items (rate limiting, JWT, OIDC, auth integrations) to a clearly labeled Roadmap, and rewrites the sample my-service.yaml with corrected schema keys (listen.http, upstream.default, descriptors, service.name, cors.origins, maintenance, endpoint_classes, identifier_endpoints), including a note that [roadmap] blocks are parsed but not yet wired.
Library usage examples, flow steps, and architecture diagram
README.md
Corrects Rust library usage snippets from the nonexistent build_proxy/ProxyConfig API to ProxyServer::from_config(config).serve().await? and ProxyServer::from_config(config).router()?; revises the "How It Works" step list; and updates the architecture diagram to include CORS and maintenance gating in the request path and explicitly mark Shield/Auth as roadmap-only.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main changes: README updates with crates.io badges and corrections, plus CI migration from semantic-release to release-plz.
Description check ✅ Passed The description comprehensively covers all changes: README badge additions, schema corrections, unimplemented features moved to Roadmap, and complete CI pipeline migration details.
Linked Issues check ✅ Passed All three objectives from issue #19 are met: crates.io badges added to README [#19], config schema corrected and unimplemented features moved to Roadmap section [#19], and semantic-release replaced with release-plz workflow [#19].
Out of Scope Changes check ✅ Passed All changes align with issue #19 scope: no product code modified, only documentation, CI configuration, and release tooling setup as specified.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/#19-readme-release-plz

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 19, 2026

Copy link
Copy Markdown

Greptile Summary

This is a repo-maintenance PR with no product code changes: it migrates the release pipeline from semantic-release to release-plz and corrects significant stale content in the README.

  • CI migration: The semantic-release and crates-publish jobs are removed from ci.yml; a new release-plz.yml handles release PRs and publishing via the existing GitHub App token and OIDC trusted publishing. Both jobs have owner guards, concurrency groups, and least-privilege app-token scopes. A zizmor.yml and .greptile/config.json codify the action-pinning policy (SHA required for third-party; tag ref acceptable for trusted publishers).
  • README accuracy: Config schema keys (upstream.default, descriptors, listen.http), the library API (ProxyServer::from_config().serve() / .router()), and the architecture diagram are all updated to match the actual code. Unimplemented features (Shield, auth, OIDC) are moved to a clearly-labelled Roadmap section rather than being dropped.

Confidence Score: 5/5

Safe to merge — no product code is touched, previously flagged issues (release job concurrency guard, CORS wildcard example) were resolved in 94fcf05, and the release-plz workflow is well-structured with owner guards and least-privilege tokens.

All changes are CI config, tooling config, and documentation. The release-plz workflow correctly uses concurrency guards on both jobs, app-token least-privilege scopes, OIDC crates.io auth, and a zizmor pinning policy. No logic regressions are possible from these changes.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Removes the semantic-release and crates-publish jobs, retaining only the quality-checks job; pins Swatinem/rust-cache to a SHA per zizmor policy.
.github/workflows/release-plz.yml New release-plz workflow with two jobs (release-pr, release); both have owner guards, concurrency groups, least-privilege app tokens, and OIDC crates.io auth. Previously flagged issues (concurrency guard on release job) have been resolved in 94fcf05.
.github/zizmor.yml Defines action-pinning policy: ref-pin for trusted publishers (actions/, rust-lang/, release-plz/, dtolnay/, etc.), hash-pin for everything else.
README.md Major accuracy overhaul: corrects config schema keys, fixes library API (ProxyConfig/ProxyServer replacing nonexistent build_proxy), moves unimplemented features to a Roadmap section, and adds crates.io ecosystem badges.
release-plz.toml New file pinning the tag scheme to v{version} to keep tag history continuous with the previous semantic-release format.
.greptile/config.json Adds the no-sha-pin-trusted-actions review rule scoped to workflow files, codifying the zizmor policy for Greptile reviews.
.releaserc.json File deleted as part of the semantic-release → release-plz migration.

Reviews (4): Last reviewed commit: "ci: narrow trusted googleapis scope to r..." | Re-trigger Greptile

Comment thread README.md
Comment thread .github/workflows/release-plz.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-plz.yml:
- Around line 48-55: The release job is missing concurrency control which allows
multiple release jobs to run concurrently when successive pushes occur to main,
risking tag and publish races. Add a concurrency block to the release job (after
the if: condition) similar to what exists in the release-pr job, using the same
group name and cancel-in-progress setting to ensure only one release process
runs at a time.
- Around line 27-30: The GitHub App token generation steps in the release-plz
workflow are missing explicit permission constraints, causing them to inherit
all permissions granted to the GitHub App installation by default. Add explicit
`permission-*` inputs to both token creation steps to scope permissions to the
minimum required: in the first job (release-pr workflow), add
`permission-contents: write` and `permission-pull-requests: write` to the token
creation step that uses the RELEASER_APP_ID and RELEASER_APP_PRIVATE_KEY
secrets, and in the second job (release workflow), add `permission-contents:
write` to its corresponding token creation step at lines 60-63.
- Line 24: All workflow action references in the release-plz.yml file are using
mutable version tags or branches instead of immutable commit SHAs. Replace each
`uses:` statement that references `create-github-app-token@v3`, `checkout@v6`,
`dtolnay/rust-toolchain@stable`, `release-plz/action@v0.5`, and
`crates-io-auth-action@v1` with their corresponding full commit SHA followed by
a comment indicating the tag (for example:
`actions/checkout@a5ac7e51b41094c153da5fb481531c5d0bd51efb # v6`). You will need
to look up the commit SHA for each action version from their respective releases
or tags and update all 9 occurrences across both the build and publish jobs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ba7d617c-61bf-4969-b43a-3ee34d532d69

📥 Commits

Reviewing files that changed from the base of the PR and between be5d0ea and f9dfd98.

📒 Files selected for processing (5)
  • .github/workflows/ci.yml
  • .github/workflows/release-plz.yml
  • .releaserc.json
  • README.md
  • release-plz.toml
💤 Files with no reviewable changes (1)
  • .releaserc.json

Comment thread .github/workflows/release-plz.yml
Comment thread .github/workflows/release-plz.yml
Comment thread .github/workflows/release-plz.yml
polaz added 3 commits June 19, 2026 12:40
- README: the `cors.origins: ["*"]` example was misleading. build_cors()
  uses permissive CORS only for an empty list; a non-empty list does
  exact origin matching, so "*" (which browsers never send as Origin)
  would block every cross-origin request. Show `origins: []` for dev
  and an explicit-origins example instead.
- release-plz.yml: add a concurrency guard to the release job so two
  pushes landing together cannot both tag and publish the same version.

Part of #19
- Pin every third-party action to an immutable commit SHA (with a # vN
  comment dependabot keeps fresh) across both workflows. The
  deliberately-rolling dtolnay/rust-toolchain@stable is left as a branch
  ref and is already excluded from dependabot.
- Scope the GitHub App tokens to least privilege: release-pr gets
  contents+pull-requests write, release gets contents write, instead of
  inheriting all installation permissions.

Part of #19
Refine the action-pinning approach: trusted publishers (GitHub-official,
Rust-official, the release tooling we depend on) keep tag/branch refs;
only third-party actions are pinned to a commit SHA. In practice this
un-pins actions/*, release-plz/*, and rust-lang/* back to tags and keeps
only Swatinem/rust-cache on a SHA.

Encode the policy so the reviewers stop flagging trusted-org tag refs:
- .github/zizmor.yml: unpinned-uses policies — ref-pin for the trusted
  orgs, hash-pin for everything else (this is the source of the
  CodeRabbit finding).
- .greptile/config.json: a matching rule scoped to workflow files.

Part of #19

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/zizmor.yml:
- Around line 15-17: The zizmor.yml configuration file currently allows all
googleapis actions to use ref-pin via the pattern googleapis/*, which is overly
broad and conflicts with the security policy documented in .greptile/config.json
that restricts trusted Google actions to googleapis/release-please*. Change the
googleapis/* pattern to googleapis/release-please* to narrow the trusted scope
and align with the documented security boundary, ensuring only the intended
release-please action bypasses hash-pinning while other googleapis actions
remain subject to the default hash-pin requirement.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4ae98d98-94fe-456f-8bfd-0e9e8d2b40f3

📥 Commits

Reviewing files that changed from the base of the PR and between 223a50e and 10cac1f.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • .github/workflows/release-plz.yml
  • .github/zizmor.yml
  • .greptile/config.json

Comment thread .github/zizmor.yml Outdated
zizmor.yml trusted googleapis/* broadly while .greptile/config.json only
trusts googleapis/release-please*. Align both: restrict the ref-pin
exemption to release-please so any other googleapis action still falls
under the hash-pin default.

Part of #19
@polaz
polaz merged commit 19bb811 into main Jun 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: repo maintenance — crates.io badges, README accuracy, migrate CI to release-plz

1 participant