@@ -28,20 +28,20 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
2828 release publication and attestation verification. Uses Depot 8-core runners for Linux and Windows
2929 builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on
3030 Python-only changes.
31- - ** build-v2.yml** : CI pipeline for the v2 Rust-native system. Uses Depot 8-core runners for Linux builds .
31+ - ** build-v2.yml** : CI pipeline for the v2 Rust-native system. Runs Linux builds on the self-hosted ` build-v2 ` pool .
3232- ** build-docs.yml** : dispatches documentation build on ` master ` and ` nightly ` pushes.
3333- ** cli-binaries.yml** : builds and publishes CLI binaries for multiple platforms.
3434- ** codeql-analysis.yml** : CodeQL security scans for Python and Rust on PRs to ` master ` , pushes to
3535 ` nightly ` , and manual dispatch.
36- - ** copilot-setup-steps.yml** : environment setup for GitHub Copilot coding agent.
3736- ** coverage.yml** : coverage report generation, currently paused and runs only on ` workflow_dispatch ` .
3837- ** docker.yml** : builds and pushes multi-platform Docker images (` nautilus_trader ` , ` jupyterlab ` )
3938 using Buildx and native ARM runners.
4039- ** nightly-docs-features-check.yml** : nightly docs.rs build checks and crate feature compatibility verification.
4140- ** nightly-merge.yml** : auto-merges ` develop ` into ` nightly ` when CI succeeds.
42- - ** nightly-tests.yml** : extended test suites too slow for PR builds - turmoil network tests plus
43- macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early
44- visibility on develop before ` nightly-merge ` at 14:00 UTC.
41+ - ** nightly-tests.yml** : extended test suites too slow for PR builds - turmoil network tests,
42+ macOS, Windows, and Linux ARM build-and-test jobs, plus final Cargo publish-plan and dry-run
43+ checks that run daily at 12:00 UTC to give early visibility on develop before ` nightly-merge `
44+ at 14:00 UTC.
4545- ** performance.yml** : Rust/Python benchmarks on ` nightly ` , reporting to CodSpeed.
4646- ** security-audit.yml** : nightly supply chain security checks (cargo-audit, cargo-deny,
4747 cargo-vet, pip-audit, osv-scanner, and Zizmor).
@@ -109,11 +109,16 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
109109 repo ` nautechsystems/nautilus_trader ` , workflow ` build.yml ` , and environment ` release ` ; the
110110 job uses a short-lived token from ` rust-lang/crates-io-auth-action ` and no long-lived cargo token.
111111- ** Post-publish verification** : ` publish-release-integrity ` verifies PyPI files against
112- ` dist-manifest.json ` , verifies PyPI provenance publisher metadata, verifies crates.io entries
113- were trusted-published by this repository, records whether each crate matches the release commit
114- or was already published, uploads ` crates-manifest.json ` , attaches attestation siblings, and
115- cleans up release workflow artifacts. ` publish-github-release ` then publishes the draft release
116- and verifies GitHub's release attestation.
112+ ` dist-manifest.json ` , verifies PyPI provenance publisher metadata, and verifies crates.io entries
113+ were trusted-published by this repository. These verifier calls retry transient
114+ Sigstore/Rekor/TUF lag, while provenance and identity mismatches fail fast. The job records
115+ whether each crate matches the release commit, was already published, or matched an explicit
116+ ` CRATES_IO_MANUAL_PUBLISH_EXCEPTIONS ` ` crate@version ` entry for emergency token-publish
117+ recovery. Manual entries are recorded in ` crates-manifest.json ` with
118+ ` release_status: "manual_token_publish" ` . Malformed or unused exception entries fail the job. The
119+ job uploads ` crates-manifest.json ` , attaches attestation siblings, and cleans up release workflow
120+ artifacts. ` publish-github-release ` then publishes the draft release and verifies GitHub's
121+ release attestation.
117122- ** Caching** : Rust target directory cache (` Swatinem/rust-cache ` ), prek hook environments, and test
118123 data caches speed up workflows while preserving hermetic builds. Rust cache saves are restricted
119124 to push events to prevent PR cache pollution.
0 commit comments