Fix publishing workflow

.github/workflows/CargoPublish.yml

@@ -1,10 +1,20 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 
-name: Publish crates to intenral cargo registry
+name: Publish crates to crates.io
 
 on:
   workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Run the release without actually releasing bits"
+        type: boolean
+        default: true
   workflow_call:
+    inputs:
+      dry_run:
+        description: "Run the release without actually releasing bits"
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -14,8 +24,7 @@ jobs:
   publish-hyperlight-packages:
     runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"]
 
-    # We should only publish from main if minver contains `-preview`
-    if: ${{ contains(github.ref, 'refs/heads/release/') }} || ${{ github.ref=='refs/heads/main' }}
+    if: ${{ startsWith(github.ref, 'refs/heads/release/v') || inputs.dry_run }}
 
     steps:
       - uses: actions/checkout@v4
@@ -27,47 +36,39 @@ jobs:
         with:
           rust-toolchain: "1.81.0"
 
-      - name: Set up cargo workspaces version
+      - name: Check crate versions
+        shell: bash
         run: |
-          cargo install cargo-workspaces
-          cargo install minver_rs
-          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
-          git config --global user.Name "${{ github.actor }}"
-
-      - name: Set crate versions
-        run: |
-          git fetch --tags || true
-          version=$(MINVER_TAG_PREFIX=v MINVER_AUTO_INCREMENT_LEVEL=Minor MINVER_PRERELEASE_IDENTIFIER=preview minver)
-          echo "Setting version to $version"
-          cargo ws version --force=hyperlight_* --no-git-commit --yes custom $version
-          echo "HYPERLIGHT_VERSION=$version" >> "$GITHUB_ENV"
-
-      - name: Determine if we should publish crates
-        run: |
-          echo "github.ref=${{ github.ref }}"
-          echo "HYPERLIGHT_VERSION=$HYPERLIGHT_VERSION"
-          if [[ ${{ github.ref }} =~ 'refs/heads/release/' || ( ${{ github.ref }} == 'refs/heads/main' &&  $HYPERLIGHT_VERSION =~ '-preview' ) ]]
-          then
-            echo "Setting SHOULD_PUBLISH in GITHUB_ENV"
-            echo "SHOULD_PUBLISH=true" >> "$GITHUB_ENV"
+          if ${{ inputs.dry_run }}; then
+            VERSION=""
+          else
+            VERSION="${{ github.ref }}"
+            VERSION="${VERSION#refs/heads/release/v}"
           fi
-      # `allow-dirty` is needed in the publish below because we are using the `--no-git-commit`
-      # option above to cover the case where no changes are made by cargo ws version because the version
-      # is already correct
-      - name: Publish hyperlight-flatbuffers
-        if: ${{ env.SHOULD_PUBLISH == 'true' }}
-        run: cargo publish --manifest-path ./src/hyperlight_common/Cargo.toml --registry hyperlight_packages --allow-dirty
+          ./dev/verify-version.sh "$VERSION" hyperlight-common hyperlight-guest hyperlight-host
+
+      - name: Publish hyperlight-common
+        continue-on-error: ${{ inputs.dry_run }}
+        run: cargo publish --manifest-path ./src/hyperlight_common/Cargo.toml ${{ inputs.dry_run && '--dry-run' || '' }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
 
       - name: Publish hyperlight-guest
-        if: ${{ env.SHOULD_PUBLISH == 'true' }}
-        run: cargo publish --manifest-path ./src/hyperlight_guest/Cargo.toml --registry hyperlight_packages --allow-dirty
+        continue-on-error: ${{ inputs.dry_run }}
+        run: cargo publish --manifest-path ./src/hyperlight_guest/Cargo.toml ${{ inputs.dry_run && '--dry-run' || '' }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
 
       - name: Publish hyperlight-host
-        if: ${{ env.SHOULD_PUBLISH == 'true' }}
-        run: cargo publish --manifest-path ./src/hyperlight_host/Cargo.toml --registry hyperlight_packages --allow-dirty
+        continue-on-error: ${{ inputs.dry_run }}
+        run: cargo publish --manifest-path ./src/hyperlight_host/Cargo.toml ${{ inputs.dry_run && '--dry-run' || '' }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
 
-        # `--no-verify` is needed because build.rs writes to "include/hyperlight_guest.h", but since we exclude that directory in Cargo.toml, it should be fine.
-        # Cargo does not want you to modify files outside of OUT_DIR
-      - name: Publish hyperlight-guest-capi
-        if: ${{ env.SHOULD_PUBLISH == 'true' }}
-        run: cd ./src/hyperlight_guest_capi && cargo publish --registry hyperlight_packages --no-verify --allow-dirty # cd is required because of https://github.com/rust-lang/cargo/issues/10302
+      # TODO: Do we want to publish hyperlight-guest-capi to crates.io given that it's not for Rust consumption?
+      # - name: Publish hyperlight-guest-capi
+      #   # `--no-verify` is needed because build.rs writes to "include/hyperlight_guest.h", but since we exclude that directory in Cargo.toml, it should be fine.
+      #   # Cargo does not want you to modify files outside of OUT_DIR
+      #   run: cd ./src/hyperlight_guest_capi && cargo publish --no-verify ${{ inputs.dry_run && '--dry-run' || '' }} # cd is required because of https://github.com/rust-lang/cargo/issues/10302
+      #   env:
+      #     CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}

.github/workflows/CreateRelease.yml

@@ -74,6 +74,8 @@ jobs:
   cargo-publish:
     needs: [publish]
     uses: ./.github/workflows/CargoPublish.yml
+    with:
+      dry_run: false
     secrets: inherit
     permissions:
       id-token: write

Cargo.toml

@@ -27,6 +27,10 @@ exclude = [
 version = "0.9.0"
 edition = "2021"
 rust-version = "1.79.0"
+license = "Apache-2.0"
+homepage = "https://github.com/hyperlight-dev/hyperlight"
+repository = "https://github.com/hyperlight-dev/hyperlight"
+readme = "README.md"
 
 [workspace.dependencies]
 mshv-bindings = { version = "=0.2.1" }
@@ -35,7 +39,7 @@ mshv-ioctls = { version = "=0.2.1" }
 hyperlight-common = { path = "src/hyperlight_common", version = "0.9.0", default-features = false }
 hyperlight-host = { path = "src/hyperlight_host", version = "0.9.0", default-features = false }
 hyperlight-guest = { path = "src/hyperlight_guest", version = "0.9.0", default-features = false }
-hyperlight-testing = { path = "src/hyperlight_testing", version = "0.9.0", default-features = false }
+hyperlight-testing = { path = "src/hyperlight_testing", default-features = false }
 
 [workspace.lints.rust]
 unsafe_op_in_unsafe_fn = "deny"

dev/verify-version.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -Eeuo pipefail
+cargo install -q jaq
+
+EXPECTED="$1"
+EXPECTED="${EXPECTED#refs/heads/release/}"
+EXPECTED="${EXPECTED#v}"
+shift
+
+for CRATE in "$@"; do
+    VERSION=$(cargo metadata --format-version=1 2>/dev/null | jaq --raw-output '.packages[] | select(.name == "'$CRATE'").version')
+    if [ "$VERSION" == "$EXPECTED" ] || [ "" == "$EXPECTED" ]; then
+        echo -e " \u001b[1;32m✓\u001b[0m Crate \u001b[1m$CRATE\u001b[0m version is \u001b[1m$VERSION\u001b[0m"
+    else
+        echo -e " \u001b[1;31m✗\u001b[0m Crate \u001b[1m$CRATE\u001b[0m version is \u001b[1m$VERSION\u001b[0m, expected \u001b[1m$EXPECTED\u001b[0m"
+        exit 1
+    fi
+done

docs/how-to-make-releases.md

@@ -1,6 +1,6 @@
 # Releasing a new Hyperlight version to Cargo
 
-This document details the process of releasing a new version of Hyperlight to the [Azure-internal Cargo feeds](https://dev.azure.com/AzureContainerUpstream/hyperlight/_artifacts/feed/hyperlight_packages). It's intended to be used as a checklist for the developer doing the release. The checklist is represented in the below sections.
+This document details the process of releasing a new version of Hyperlight to [crates.io](https://crates.io). It's intended to be used as a checklist for the developer doing the release. The checklist is represented in the below sections.
 
 ## Update Cargo.toml Versions
 

src/hyperlight_common/Cargo.toml

@@ -3,6 +3,13 @@ name = "hyperlight-common"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+readme.workspace = true
+description = """
+Hyperlight's components common to host and guest.
+"""
 
 [lints]
 workspace = true

src/hyperlight_guest/Cargo.toml

@@ -4,6 +4,13 @@ links = "c"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+readme.workspace = true
+description = """
+Library to build guest applications for hyperlight.
+"""
 
 [features]
 default = ["libc", "printf", "alloca"]

src/hyperlight_host/Cargo.toml

@@ -3,6 +3,14 @@ name = "hyperlight-host"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+readme.workspace = true
+description = """
+A lightweight Virtual Machine Manager that can be hosted in an application to safely
+run untrusted or code within a VM partition with very low latency and overhead.
+"""
 
 [lib]
 # https://docs.rust-embedded.org/book/interoperability/rust-with-c.html

src/hyperlight_testing/Cargo.toml

@@ -1,6 +1,5 @@
 [package]
 name = "hyperlight-testing"
-version.workspace = true
 edition = "2021"
 
 [dependencies]