feat: add WASIX extension assets and release workflows

Move the repository to source-controlled asset inputs with CI-generated release payloads. Keep asset and AOT crates as source-only templates, stage portable assets under crates/assets/payload during release, and remove committed runtime/AOT blobs from git.

Centralize artifact download/install in xtask, add a maintainer-only LLVM AOT serializer path, tighten dependency invariants, and split source-only validation from runtime validation.

Remove obsolete spike workspaces now that production WASIX build inputs live under assets/wasix-build.

Author: f0rr0

.github/actions/setup-rust-tools/action.yml

@@ -0,0 +1,50 @@
+name: Setup Rust Tools
+description: Install the pinned Rust toolchain, cache Cargo output, and install optional Cargo tools.
+
+inputs:
+  toolchain:
+    description: Rust toolchain version.
+    required: false
+    default: "1.92"
+  components:
+    description: Comma-separated Rust components.
+    required: false
+    default: ""
+  cache:
+    description: Whether to enable the Cargo cache.
+    required: false
+    default: "true"
+  cache-workspaces:
+    description: Workspace mapping for Swatinem/rust-cache.
+    required: false
+    default: ". -> target"
+  cache-save-if:
+    description: Expression string passed to Swatinem/rust-cache save-if.
+    required: false
+    default: "false"
+  tools:
+    description: Comma-separated tools for taiki-e/install-action.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+      with:
+        toolchain: ${{ inputs.toolchain }}
+        components: ${{ inputs.components }}
+
+    - name: Cache Cargo output
+      if: ${{ inputs.cache == 'true' }}
+      uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32
+      with:
+        workspaces: ${{ inputs.cache-workspaces }}
+        save-if: ${{ inputs.cache-save-if }}
+
+    - name: Install Cargo tools
+      if: ${{ inputs.tools != '' }}
+      uses: taiki-e/install-action@1f2425cdb59f8fffb99ee16a5968edf6f57a2b93
+      with:
+        tool: ${{ inputs.tools }}

.github/pull_request_template.md

@@ -4,9 +4,13 @@
 
 - [ ] Package/API/runtime change: PR title uses `feat:`, `fix:`, `perf:`, `refactor:`, `revert:`, or a breaking `!`.
 - [ ] Docs/CI/repository-only change: no release intended.
+- [ ] Asset/source-spine change: source pins/fingerprints are current and the Assets workflow will generate/test release artifacts.
 
 ## Verification
 
-- [ ] `scripts/validate.sh ci`
-- [ ] `scripts/validate.sh release`
+- [ ] `scripts/validate.sh repo`
+- [ ] `scripts/validate.sh artifacts`
+- [ ] `scripts/validate.sh lint`
+- [ ] `scripts/validate.sh test`
+- [ ] `scripts/validate.sh package` when published package contents changed
 - [ ] `cargo deny check`

.github/scripts/check-release-changelog.sh

@@ -99,7 +99,7 @@ EOF
   exit 1
 fi
 
-expected_unreleased="[Unreleased]: https://github.com/f0rr0/pglite-oxide/compare/pglite-oxide-v${package_version}...HEAD"
+expected_unreleased="[Unreleased]: https://github.com/f0rr0/pglite-oxide/compare/${package_version}...HEAD"
 
 if ! grep -Fxq "${expected_unreleased}" CHANGELOG.md; then
   cat >&2 <<EOF

.github/scripts/check-release-intent.sh

@@ -67,7 +67,14 @@ if [[ -z "${base_versions}" || -z "${head_versions}" ]]; then
   exit 1
 fi
 
-if [[ "${base_versions}" != "${head_versions}" && "${is_release_pr}" != true ]]; then
+changed_existing_versions="$(
+  join -t $'\t' \
+    <(printf '%s\n' "${base_versions}" | sed 's/=/\t/' | sort -t $'\t' -k1,1) \
+    <(printf '%s\n' "${head_versions}" | sed 's/=/\t/' | sort -t $'\t' -k1,1) |
+    awk -F '\t' '$2 != $3 { print $1 "=" $2 " -> " $3 }'
+)"
+
+if [[ -n "${changed_existing_versions}" && "${is_release_pr}" != true ]]; then
   cat >&2 <<EOF
 This PR changes one or more workspace package versions.
 
@@ -86,6 +93,9 @@ ${base_versions}
 
 Head package versions:
 ${head_versions}
+
+Changed existing package versions:
+${changed_existing_versions}
 EOF
   exit 1
 fi
@@ -94,7 +104,7 @@ while IFS= read -r file; do
   [[ -z "${file}" ]] && continue
 
   case "${file}" in
-    Cargo.toml | Cargo.lock | build.rs | src/* | assets/* | crates/* | xtask/* | examples/* | benches/*)
+    Cargo.toml | build.rs | src/* | crates/*)
       affected_files+=("${file}")
       ;;
   esac
@@ -125,8 +135,9 @@ Breaking changes may use any type with !, for example:
 release-plz PRs are exempt only when their branch starts with release-plz- and
 their title starts with chore(release):.
 
-Docs, CI, issue-template, and repository-only changes can keep non-release types
-such as docs:, ci:, chore:, style:, or test: when they do not touch package code.
+Docs, CI, tests, examples, xtask-only maintenance, source-checkout scripts, and
+other repository-only changes can keep non-release types such as docs:, ci:,
+chore:, style:, or test: when they do not touch published package code.
 
 Received:
   ${subject}

.github/scripts/download-aot-artifacts.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${GITHUB_SHA:?GITHUB_SHA is required}"
+: "${GITHUB_TOKEN:?GITHUB_TOKEN is required}"
+
+cargo run -p xtask -- assets download --sha "$GITHUB_SHA" --all-targets

.github/scripts/require-workflow-success.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+workflow="${1:?usage: require-workflow-success.sh <workflow> <sha> [timeout-seconds]}"
+sha="${2:?usage: require-workflow-success.sh <workflow> <sha> [timeout-seconds]}"
+timeout="${3:-7200}"
+
+: "${GH_TOKEN:?GH_TOKEN is required}"
+: "${GH_REPO:?GH_REPO is required}"
+
+deadline=$((SECONDS + timeout))
+while true; do
+  runs="$(gh run list \
+    --workflow "$workflow" \
+    --commit "$sha" \
+    --limit 10 \
+    --json databaseId,status,conclusion,url \
+    --jq '.[] | [.databaseId, .status, (.conclusion // ""), .url] | @tsv')"
+  if [ -n "$runs" ]; then
+    echo "$runs"
+    if echo "$runs" | awk -F '\t' '$2 == "completed" && $3 == "success" { found=1 } END { exit found ? 0 : 1 }'; then
+      exit 0
+    fi
+    if echo "$runs" | awk -F '\t' '$2 == "completed" && $3 != "success" { failed=1 } END { exit failed ? 0 : 1 }'; then
+      echo "$workflow failed for $sha" >&2
+      exit 1
+    fi
+  else
+    echo "waiting for $workflow workflow for $sha"
+  fi
+  if [ "$SECONDS" -ge "$deadline" ]; then
+    echo "timed out waiting for successful $workflow workflow for $sha" >&2
+    exit 1
+  fi
+  sleep 60
+done