Use crates.io Trusted publishing to publish releases to crates.io

[jschwe]

Depends on #676 and #677

See the official crates.io trusted publishing documentation.

This requires a crates.io owner of mozjs to allow trusted-publishing!

Configure your crate on crates.io:
Go to your crate's Settings → Trusted Publishing
Click the "Add" button and select your platform (GitHub or GitLab)
Fill in the platform-specific fields and save the configuration

Todo:

• handle releasing only mozjs, if mozjs changed, but mozjs-sys didn't

[jschwe]

I can see how it could be useful (to not forget bump if one wants to use this in servo), but also not if we want to land multiple PRs (in short span of time) and not release version for each one (I am worried we will spam to many version - and our crates are big).

Let's continue the discussion from #677 here. If we switch to consistently using crates.io releases, then technically we don't need to build and release a prebuilt version of mozjs-sys for every commit on main, but just for every published release.
So we could tag and release on-demand if wanted. Practically, we probably still want to release often, due to the tight coupling of servo and mozjs(-sys).
Maybe we could parse the commit message and skip publishing if we match some regex that lets us skip the release? That would allow us to default to releasing, and skipping if we know we will be merging multiple related PRs quickly after each other.

I've been wondering about the versioning too - perhaps we should just use a workspace version (following the spidermonkey version, as we already do for mozjs-sys), and not version mozjs independently? That would make version bumps simpler, and we could always just release both libraries. It would be a bit wasteful (in terms of crates.io space usage) if mozjs-sys didn't actually change though.

[sagudev]

cargo publish does nothing (it does not even build) if version number does not change, so maybe we can just remove if guard and let publish happen on any version bump (this should also handle bumping just mozjs).

[jschwe]

I just checked and cargo publish will exit with 101 when trying to publish an already published version.
I pushed a commit which uses grep to check the error message, and will keep the pipeline greep if the failure is due to the release already existing.

[sagudev]

Let's continue the discussion from #677 here. If we switch to consistently using crates.io releases, then technically we don't need to build and release a prebuilt version of mozjs-sys for every commit on main, but just for every published release.
So we could tag and release on-demand if wanted. Practically, we probably still want to release often, due to the tight coupling of servo and mozjs(-sys).

That's what we are actually already doing. New releases are not created per commit, but per mozjs-sys bumps (which are enforced by CI due to artifacts).

Maybe we could parse the commit message and skip publishing if we match some regex that lets us skip the release? That would allow us to default to releasing, and skipping if we know we will be merging multiple related PRs quickly after each other.

I've been wondering about the versioning too - perhaps we should just use a workspace version (following the spidermonkey version, as we already do for mozjs-sys), and not version mozjs independently? That would make version bumps simpler, and we could always just release both libraries. It would be a bit wasteful (in terms of crates.io space usage) if mozjs-sys didn't actually change though.

I give this more though and if think current rules are good enough (CI enforced bumps of mozjs-sys) and manually handled bumps of mozjs. Alternatively we could enforce bumps of mozjs too, but they should remain independent of mozjs-sys. Although common versioning schema does sound nice, if would allow independent releases of mozjs.