chore: bootstrap 0.4.0 and set up release-plz automation

[dobby-coder]

Summary

Switches ibe from a manual release process to release-plz automation (matching postguard and cryptify). Bootstraps at 0.4.0 so the security fix from #13 ships with an honest pre-1.0 minor bump (KV1/Waters identity derivation changed — existing USKs/ciphertexts on those schemes are incompatible).

Why 0.4.0 and not 0.3.1: PR #13 changes identity-derivation output for KV1 and Waters. Public Rust API is unchanged, so SemVer strictly allows 0.3.1, but a minor bump is the honest signal for a cryptographic behavior change. CGWKV / CGWFO / CGW / Boyen-Waters / Waters-Naccache are unaffected. PostGuard production (CGWKV+MKEM) is not impacted.

What's in this PR

• Cargo.toml → version = "0.4.0"
• CHANGELOG.md → ## 0.4.0 section covering every commit since 0.3.0 (serves as the bootstrap entry; release-plz will only generate entries for commits after 0.4.0)
• release-plz.toml → single-crate config (v{{ version }} tag format, publish to crates.io)

Maintainer follow-up — required for automation to land

The bot can't push .github/workflows/ (App lacks workflows:write). Two manual steps:

1. Add the workflow at .github/workflows/release-plz.yml — see the dedicated comment on this PR for the full file content. It contains two jobs:

• release-plz-release — on push to main: tags vX.Y.Z, publishes to crates.io, creates GitHub release
• release-plz-pr — opens/refreshes the next release PR

2. Repo settings:

• Add secret CARGO_REGISTRY_TOKEN (same value used by postguard / cryptify)
• Settings → Actions → General → Workflow permissions → enable "Allow GitHub Actions to create and approve pull requests"

After merge

First push to main runs release-plz: tags v0.4.0, publishes ibe 0.4.0 to crates.io, creates the GitHub release. From that point on, release-plz opens its own release PRs automatically — no more manual cargo publish / git tag dance.

Verification

• cargo fmt --all -- --check ✅
• cargo build --release ✅
• cargo test --all-features — 21 passed, 0 failed ✅
• cargo package --allow-dirty — 24 files, 166.5 KiB / 39.5 KiB compressed ✅

Reviewer quickstart

git fetch origin && git checkout release/0.4.0 && cargo test --all-features

Closes #32

---

Triggered from the bot's issue #32 (fan-out from dobby#78).

[dobby-coder]

Self-authored PR — cannot self-approve, leaving a review comment instead.

Verified locally:

• Cargo.toml version 0.3.0 → 0.4.0 (Cargo.toml:13).
• CHANGELOG enumerates every merged PR since 0.3.0 (#11, #13, #15/#22, #16/#21, #19, #20, #24, #26, #31, #34) plus the wasm32-wasi → wasm32-wasip1 CI fix.
• 0.4.0 (vs 0.3.1) is the right call: #13 changes bits() output for KV1/Waters, breaking USK/ciphertext compatibility on those two schemes. Public Rust API is unchanged, but a behavior-breaking crypto change pre-1.0 warrants a minor bump.
• Scope claim matches the code: CGWKV/CGWFO/CGW/Boyen-Waters/Waters-Naccache unaffected; PostGuard production (CGWKV+MKEM) not impacted.
• cargo fmt --check, cargo build --release, cargo test --all-features (21 passed) all green locally. All 7 CI checks green.

LGTM from review perspective — needs a maintainer approval to merge.

[rubenhensen]

we should just add automated release to ibe instead using release-plz

[dobby-coder]

This agent will get on it right away, sir! Dobby reads the request — replace the manual 0.4.0 release dance with release-plz so future versions cut themselves. Off to explore the ibe crate and draft a plan!

[dobby-coder]

Plan

Replace the manual 0.4.0 release prep with release-plz automation, matching the setup in postguard and cryptify.

Files

• .github/workflows/release-plz.yml (new) — two jobs: release-plz-release (tag + crates.io publish + GitHub release on push-to-main) and release-plz-pr (open/refresh the next release PR). Uses release-plz/action@v0.5, dtolnay/rust-toolchain@stable, actions/checkout@v6. Single crate, so simpler than postguard's delivery.yml (no Docker, no parse step).
• release-plz.toml (new) — minimal config: git_tag_name = "v{{ version }}", publish = true.
• CHANGELOG.md — keep PR chore: bootstrap 0.4.0 and set up release-plz automation #35's 0.4.0 section as the bootstrap entry so release-plz only generates entries for commits after 0.4.0.
• Cargo.toml — keep version = "0.4.0" from PR chore: bootstrap 0.4.0 and set up release-plz automation #35.

Approach

1. Branch off release/0.4.0 (preserve the CHANGELOG + version work already in this PR).
2. Add release-plz.toml.
3. Add the workflow as a patch-in-comment — dobby-coder[bot] lacks workflows:write, so the .yml has to be applied by a maintainer (recurring blocker, see cryptify#126 template).
4. Update PR body to reflect the new direction: this PR becomes "set up release-plz + bootstrap at 0.4.0" rather than "manual 0.4.0 publish".

Prerequisite (maintainer)

• Add repo secret CARGO_REGISTRY_TOKEN (same value used for postguard/cryptify).
• Apply the workflow patch and push to the release/0.4.0 branch.
• Allow GitHub Actions to create PRs: Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests".

What happens after merge

• First push to main runs release-plz release: tags v0.4.0, publishes ibe 0.4.0 to crates.io, creates the GitHub release.
• release-plz release-pr then opens the next release PR automatically as commits land.
• The manual git tag … cargo publish instructions in the current PR body can be removed.

Verification

• cargo fmt --all -- --check, cargo build --release, cargo test --all-features, cargo package --allow-dirty — already green on this branch.
• Workflow YAML linted locally via actionlint if available.

Risks / notes

• Cannot test the release flow in a sandbox; relying on postguard's known-good template.
• rand/getrandom major bumps remain blocked by the pg-curve/group/ff/pairing stack — release-plz will still happily ship 0.4.0 with the security fix from fix(security): make bits() produce all bits from input slice #13.

[dobby-coder]

Workflow patch — .github/workflows/release-plz.yml

The bot's GitHub App lacks workflows:write, so this file has to be added by a maintainer. Save the following at .github/workflows/release-plz.yml on the release/0.4.0 branch and push.

Full file contents

name: Release-plz

on:
  push:
    branches:
      - main

jobs:
  release-plz-release:
    name: Release-plz release
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: read
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Run release-plz
        uses: release-plz/action@v0.5
        with:
          command: release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

  release-plz-pr:
    name: Release-plz PR
    needs: release-plz-release
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    concurrency:
      group: release-plz-${{ github.ref }}
      cancel-in-progress: false
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Run release-plz
        uses: release-plz/action@v0.5
        with:
          command: release-pr
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

Quick apply

git fetch origin && git checkout release/0.4.0
mkdir -p .github/workflows
# paste the YAML above into .github/workflows/release-plz.yml
git add .github/workflows/release-plz.yml
git commit -m "ci: add release-plz workflow"
git push

Don't forget

• Repo secret CARGO_REGISTRY_TOKEN (same value used by postguard / cryptify).
• Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests".

[dobby-coder]

Rule compliance pass: fixed one cross-repo link in the PR body — dobby#78 does not auto-link from outside the dobby repo, per the cross-repo-link-format rule. Updated to the full markdown link form. No other rule violations found.

[dobby-coder]

Second-pass review (self-authored PR, can't self-approve).

Verified:

• Cargo.toml:13 bumped 0.3.0 → 0.4.0 ✅
• release-plz.toml matches the single-crate pattern from postguard/cryptify (git_tag_name = "v{{ version }}", publish = true) ✅
• CHANGELOG 0.4.0 entry accurately enumerates every merged PR since 0.3.0 and clearly flags the KV1/Waters breaking change ✅
• 0.4.0 (vs 0.3.1) is the correct call: #13 changes bits() output for KV1 and Waters, breaking USK/ciphertext compatibility on those schemes. Public Rust API unchanged, but a behavior-breaking cryptographic change pre-1.0 warrants a minor bump. CGWKV/CGWFO/CGW/Boyen-Waters/Waters-Naccache unaffected; PostGuard production (CGWKV+MKEM) not impacted.
• All 8 CI checks green.

Maintainer follow-up (covered in PR body and patch-in-comment):

• Add .github/workflows/release-plz.yml manually (App lacks workflows:write).
• Repo secret CARGO_REGISTRY_TOKEN.
• Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests".

LGTM from review perspective — needs maintainer approval to merge.

[rubenhensen]

/dobby put this on the backburner. I need to email the owner of the package on crates.io first

[dobby-coder]

This agent will set issue #35 aside and wait, sir! No work shall be done until you have emailed the crates.io owner — this agent is happy to be patient!

[dobby-coder]

Rule compliance check: edited PR body to use the plain dobby#78 cross-repo reference instead of a full URL containing the bot-name slash trigger substring, per the avoid-self-trigger-loops rule. No code changes needed.