Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Reproducible builds and releases

The repository commits Cargo.lock and treats it as part of the source and release contract. Cargo commands that build, test, document, package, or install pinto must use --locked; an intentional dependency update is made with cargo update, followed by review of the lockfile diff.

Toolchain roles

Development and release commands use Rust 1.97.0, pinned in mise.toml. Cargo.toml continues to declare Rust 1.89 as the minimum supported version. CI keeps the responsibilities separate:

JobToolchainScope
msrvRust 1.89.0Default and all-feature build/test compatibility
checkPinned Rust 1.97.0Full mise run check quality gate on each primary OS
current-stableLatest stable channelForward-compatibility test suite with all features
releasePinned Rust 1.97.0Release build, package, and source-install verification

The all-feature MSRV checks and the pinned quality gate intentionally cover different support contracts. The latest-stable job does only the forward compatibility probe, so a moving toolchain does not define release artifacts.

Clean-checkout verification

From a clean checkout, install the pinned tools and run the same gates used by CI:

mise install
mise run check
cargo build --release --all-features --locked
cargo package --all-features --locked
cargo install --path . --locked --root "$PWD/.tmp/pinto"

mise run release-check adds coverage, dependency audit, dependency policy, and the release build/package tasks to the quality gate.

Allowlisted package contents

The crate manifest uses root-anchored package.include entries for the manifest, source, locale resources, README, license, and the rank benchmark example. This allowlisted package excludes repository-only data such as .pinto, demos, tests, docs, and CI metadata.

Run ./scripts/verify-package.sh or mise run release-package to run cargo package --all-features --locked, compare the package file list with the committed release/package-files.txt, and run tests against the extracted packaged crate. A deliberate runtime-file addition must update the allowlist and its file-list baseline together. CI also runs cargo install --path . --locked from the clean checkout as the source-install check.

Publishing a release

For each release, update the package version in Cargo.toml and both committed lockfiles, move the relevant entries into a dated CHANGELOG.md heading, and update the published-version installation examples. For a breaking change while pinto remains in the 0.x series, increment the minor version as the 0.2.0 CLI rename demonstrates. Before publishing, run the complete local release gate and verify the package without uploading it:

mise run release-check
cargo publish --dry-run --all-features --locked

After the release commit has passed CI and has been fast-forwarded to main, create the repository’s version tag and push it together with main. Publish the same locked package to crates.io only after the tag points at that commit:

git tag 0.2.0
git push origin main 0.2.0
cargo publish --all-features --locked