Release Process
token-privilege uses automated release tooling to minimize manual steps and ensure consistency.
Overview
Releases are managed by release-plz, which automates version bumping, changelog generation, and crate publishing. The process is driven by conventional commits on the main branch.
Conventional Commits
All commits must follow the conventional commits format:
<type>(<scope>): <description>
Types
| Type | Purpose | Version Bump |
|---|---|---|
feat | New feature | Minor |
fix | Bug fix | Patch |
refactor | Code restructuring | Patch |
docs | Documentation changes | None |
test | Test additions or changes | None |
chore | Maintenance tasks | None |
perf | Performance improvements | Patch |
ci | CI configuration changes | None |
Scopes
| Scope | When to Use |
|---|---|
lib | Public API in lib.rs |
api | API surface changes |
error | Error type changes |
elevation | Elevation detection logic |
privilege | Privilege query logic |
privileges | Privilege constants module |
ffi | FFI boundary (unsafe code) |
safety | Safety invariant changes |
security | Security-related changes |
docs | Documentation |
book | mdBook documentation |
tests | Test changes |
ci | CI workflows |
deps | Dependency updates |
release | Release-related changes |
Special Rules
- Changes touching
unsafecode must use theffiorsafetyscope and include the safety invariant in the commit body. - Cross-platform behavior changes must note the impact on Windows vs. non-Windows in the commit body.
Automated Release Flow
1. Push to main
When commits land on the main branch (via merged PR or direct push), release-plz runs two jobs:
2. Release PR
The release-plz-pr job analyzes commits since the last release, determines the appropriate version bump based on conventional commit types, and opens (or updates) a release PR. The PR contains:
- Updated version in
Cargo.toml - Generated changelog entries from commit messages
3. Release
The release-plz-release job detects when the version in Cargo.toml has been bumped and:
- Creates a GitHub release with the changelog
- Publishes the crate to crates.io
CI Pipeline
Every change goes through the following CI stages before it can be merged:
- Quality –
rustfmtcheck and Clippy with-D warnings. - Test –
cargo nextest runon Ubuntu. - Cross-platform – tests on Linux, macOS, and Windows.
- Coverage –
cargo-llvm-covwith Codecov upload. - Audit –
cargo auditfor known vulnerabilities.
All checks must pass before a PR can be merged.
Local Release Commands
For local testing and verification:
| Command | Description |
|---|---|
just release-dry-run | Simulate a release without publishing. |
just release | Perform the release (requires credentials). |
just release-patch | Release a patch version. |
just release-minor | Release a minor version. |
just release-major | Release a major version. |
just changelog | Generate the full changelog. |
just changelog-unreleased | Generate changelog for unreleased changes. |
Changelog
The changelog is generated by git-cliff from conventional commit messages. Configuration is in cliff.toml.
To regenerate the changelog locally:
just changelog
To generate a changelog for a specific version:
just changelog-version v0.2.0