fix(release): add release preflight checks

[antidmg]

Summary

Add two safeguards so release-only failures get caught before we cut a tag.

What changed

• Add a Release Preflight job to CI that runs nix build .#statespace .#statespace-musl
• Add just release-safe <level> to dry-run the release workflow on main, watch it to completion, and only then run the real release
• Harden just release / release-safe so they fail on common bad states instead of retriggering the wrong tag

Why

We hit a release-only Nix packaging failure that normal CI did not cover, and the existing release recipe could also retrigger the previous tag if cargo release exited before creating a new tag.

These changes make the safer path the obvious one:

just release-safe patch

Validation

• just --show release-safe
• Pre-commit checks passed during commit (cargo fmt, cargo clippy)
• The release dry-run on main previously passed after the Nix filter fix

Summary by CodeRabbit

• Chores
  • Enhanced CI pipeline with automated build verification checks.
  • Improved release process with safety gates to prevent accidental releases and ensure branch synchronization before deployment.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

This pull request introduces two release-related additions: a new CI job to preflight-build Nix packages, and a new recipe that validates repository state and runs a dry-run release workflow before executing the actual release.

Changes

Cohort / File(s)	Summary
CI Job Addition .github/workflows/test.yml	Added release-preflight job that checks out the repository, sets up a Nix environment, and builds both .#statespace and .#statespace-musl packages on Ubuntu.
Release Workflow Recipe justfile	Added release-safe recipe that validates a clean working tree, enforces execution from the main branch, verifies local HEAD matches origin/main, triggers a dry-run of the release workflow via workflow_dispatch, polls for run completion, checks if main advanced during the dry-run, and conditionally executes the actual release.

Sequence Diagram

sequenceDiagram
    participant Developer
    participant Git
    participant "GitHub Actions API"
    participant "gh CLI"

    Developer->>Git: just release-safe <level>
    Git->>Git: Validate clean working tree
    Git->>Git: Verify on main branch
    Git->>Git: Check HEAD == origin/main
    Developer->>Developer: Trigger workflow_dispatch
    Developer->>"GitHub Actions API": Dispatch release.yml<br/>with tag=dry-run
    "GitHub Actions API"-->>Developer: Workflow run initiated
    Developer->>"gh CLI": Poll for new run<br/>(matching HEAD)
    "gh CLI"-->>"GitHub Actions API": Query run status
    Developer->>"gh CLI": gh run watch<br/>--exit-status
    "gh CLI"-->>"GitHub Actions API": Monitor until completion
    "GitHub Actions API"-->>Developer: Run complete
    Developer->>Git: Fetch origin/main
    Git->>Git: Verify main didn't advance
    alt main advanced during dry-run
        Developer->>Developer: Abort
    else main unchanged
        Developer->>Developer: Execute just release {{level}}
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: adding release preflight checks as safeguards to catch release-only failures before tagging.
Description check	✅ Passed	The description is well-structured with Summary, What changed, Why, and Validation sections; however, it omits the Testing and Checklist sections from the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-preflight

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}