ci: add Rust release workflow targeting GitHub Release assets

[jd]

Starts distributing the static Rust binary alongside the existing
PyPI wheel. Both pipelines run on every published GitHub Release
until the Phase 1.6 channel switch makes the binary the sole
install path.

What ships per release

Seven targets as GitHub Release assets, plus matching
.sha256 checksum files:

• x86_64-unknown-linux-gnu (glibc)
• x86_64-unknown-linux-musl (static)
• aarch64-unknown-linux-gnu (glibc, ARM server)
• aarch64-unknown-linux-musl (static, ARM server)
• x86_64-apple-darwin (Intel macOS, signed + notarized)
• aarch64-apple-darwin (Apple Silicon, signed + notarized)
• x86_64-pc-windows-msvc (Windows)

Archives use the mergify-<tag>-<target>.tar.gz / .zip
naming convention. Linux and Windows builds go through
taiki-e/upload-rust-binary-action which handles
cross-compilation via cross automatically. macOS builds run
natively on Apple Silicon runners with an explicit pipeline
because of the signing + notarization steps.

macOS signing / notarization

The macOS job imports a Developer ID Application certificate into
a throwaway keychain, codesigns the binary with the hardened
runtime + timestamp, then submits it to Apple's notarytool
service. Stapling isn't possible on a bare Mach-O; online
Gatekeeper checks approve notarized binaries on first run.

Required GitHub Actions secrets (all six must be set before the
next release):

APPLE_CERTIFICATE base64 of the .p12 Developer ID cert
APPLE_CERTIFICATE_PASSWORD password set when exporting the .p12
APPLE_SIGNING_IDENTITY "Developer ID Application: Mergify SAS (TEAMID)"
APPLE_API_KEY base64 of the App Store Connect .p8 API key
APPLE_API_KEY_ID 10-char key ID from App Store Connect
APPLE_API_KEY_ISSUER issuer UUID from App Store Connect

Install story today

Users grab a binary from the releases page:
https://github.com/Mergifyio/mergify-cli/releases/latest.
A curl | sh installer script + Homebrew tap land in separate
follow-up PRs once we've seen the first binary release succeed.

Parallel with PyPI

release.yml (existing) keeps publishing to PyPI unchanged.
Both workflows key off the same release: published event.
The Phase 1.6 channel switch is the user-coordinated moment where
we stop publishing to PyPI and direct users to the binary.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Depends-On: #1296

[jd]

This pull request is part of a Mergify stack:

#	Pull Request	Link
1	feat(rust): add mergify-core foundation types (Phase 1.2a)	#1280
2	feat(rust): add mergify-core::http with retry + typed errors (Phase 1.2b)	#1281
3	feat(rust): port config validate to native Rust (Phase 1.3)	#1282
4	test: add port-inventory guard to catch un-ported Python commands	#1296
5	ci: add Rust release workflow targeting GitHub Release assets	#1297	👈
6	feat(rust): port config simulate to native Rust (Phase 1.3b)	#1298
7	feat(rust): port ci scopes-send to native Rust (Phase 1.4)	#1300
8	feat(rust): port queue pause and unpause to native Rust (Phase 1.5)	#1301
9	feat(rust): port ci git-refs and ci queue-info to native Rust (Phase 1.6)	#1302

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🔴 ⛓️ Depends-On Requirements

Waiting for:

• depends-on = Mergifyio/mergify-cli#1296 [⛓️ test: add port-inventory guard to catch un-ported Python commands #1296 (queued)]

This rule is failing.

Requirement based on the presence of Depends-On in the body of the pull request

• depends-on = Mergifyio/mergify-cli#1296 [⛓️ test: add port-inventory guard to catch un-ported Python commands #1296 (queued)]

🔴 👀 Review Requirements

Waiting for:

• #approved-reviews-by>=2

This rule is failing.

• any of:
  • #approved-reviews-by>=2
  • author = dependabot[bot]
  • author = mergify-ci-bot
  • author = renovate[bot]

🔴 🔎 Reviews

Waiting for:

• #review-requested = 0

This rule is failing.

• #review-requested = 0
• #changes-requested-reviews-by = 0
• #review-threads-unresolved = 0

🟢 🤖 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success=ci-gate

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[jd]

Revision history

#	Type	Changes	Date
1	initial	2da50c7
2	content	2da50c7 → a2cca7a
3	rebase	a2cca7a → cb257f5	2026-04-23 19:02 UTC
4	rebase	cb257f5 → 44fc353	2026-04-24 13:41 UTC