@@ -24,10 +24,10 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
2424
2525- ** build.yml** : main CI pipeline - plan, pre-commit, cargo-deny, Rust tests, Python tests,
2626 wheel builds, artifact uploads, release asset uploads, Trusted Publishing to PyPI and crates.io,
27- release attestations, registry verification, release checksum publication, and final GitHub
28- release publication and attestation verification. Uses Depot 8-core runners for Linux and Windows
29- builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on
30- Python-only changes.
27+ release preflights, release attestations, registry verification, release checksum publication,
28+ final release asset verification, and final GitHub release publication and attestation
29+ verification. Uses Depot 8-core runners for Linux and Windows builds. Includes a plan step that
30+ skips builds on docs-only changes and skips Rust tests on Python-only changes.
3131- ** build-v2.yml** : CI pipeline for the v2 Rust-native system. Runs Linux builds on the self-hosted ` build-v2 ` pool.
3232- ** build-docs.yml** : dispatches documentation build on ` master ` and ` nightly ` pushes.
3333- ** cli-binaries.yml** : builds and publishes CLI binaries for multiple platforms.
@@ -108,17 +108,18 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
108108 OIDC trusted publishing. The trusted publisher on crates.io must be configured per crate for
109109 repo ` nautechsystems/nautilus_trader ` , workflow ` build.yml ` , and environment ` release ` ; the
110110 job uses a short-lived token from ` rust-lang/crates-io-auth-action ` and no long-lived cargo token.
111- - ** Post-publish verification** : ` publish-release-integrity ` verifies PyPI files against
112- ` dist-manifest.json ` , verifies PyPI provenance publisher metadata, and verifies crates.io entries
113- were trusted-published by this repository. These verifier calls retry transient
114- Sigstore/Rekor/TUF lag, while provenance and identity mismatches fail fast. The job records
115- whether each crate matches the release commit, was already published, or matched an explicit
116- ` CRATES_IO_MANUAL_PUBLISH_EXCEPTIONS ` ` crate@version ` entry for emergency token-publish
117- recovery. Manual entries are recorded in ` crates-manifest.json ` with
111+ - ** Post-publish verification** : ` publish-release-integrity ` generates the release manifest, then
112+ verifies PyPI files against ` dist-manifest.json ` , verifies PyPI provenance publisher metadata, and
113+ verifies crates.io entries were trusted-published by this repository before attaching checksum
114+ assets to the draft release. These verifier calls retry transient Sigstore/Rekor/TUF lag, while
115+ provenance and identity mismatches fail fast. The job records whether each crate matches the
116+ release commit, was already published, or matched an explicit
117+ ` CRATES_IO_MANUAL_PUBLISH_EXCEPTIONS ` ` crate@version ` entry for emergency token-publish recovery.
118+ Manual entries are recorded in ` crates-manifest.json ` with
118119 ` release_status: "manual_token_publish" ` . Malformed or unused exception entries fail the job. The
119120 job uploads ` crates-manifest.json ` , attaches attestation siblings, and cleans up release workflow
120- artifacts. ` publish-github-release ` then publishes the draft release and verifies GitHub's
121- release attestation.
121+ artifacts. ` publish-github-release ` verifies the final draft asset set, publishes the draft
122+ release, and verifies GitHub's release attestation.
122123- ** Caching** : Rust target directory cache (` Swatinem/rust-cache ` ), prek hook environments, and test
123124 data caches speed up workflows while preserving hermetic builds. Rust cache saves are restricted
124125 to push events to prevent PR cache pollution.
0 commit comments