ci: remove caching from publishing workflows

[jdx]

Summary

• Strips cache actions (nscloud-cache-action, Swatinem/rust-cache, actions/cache) from release / release-plz / publishing workflows.
• These workflows have elevated permissions (write tokens, signing keys, registry credentials). Even with Namespace's protected-branches setting and GHA's ref-scoped cache enforcement, the simplest defense for the publishing surface is to not depend on any cache at all — builds re-run from clean each time.
• For mise's release-plz.yml, also removes the now-pointless sccache install/configure since it had no persistent backing store without the nscloud cache.

Test plan

• Releases still build successfully (cold cache; expect slower but functional).

---

Note

Low Risk
Low risk: only adjusts GitHub Actions CI for publishing by removing the Swatinem/rust-cache step; main impact is slower cold builds but fewer cache-related supply-chain/permission concerns.

Overview
The release-plz GitHub Actions workflow no longer uses Swatinem/rust-cache, so the release/publish job runs without any Rust build caching.

This reduces reliance on shared caches in a workflow that runs with write-level credentials, at the cost of potentially slower release builds.

^{Reviewed by Cursor Bugbot for commit a86d133. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[greptile-apps]

Greptile Summary

Removes Swatinem/rust-cache from the release-plz.yml publishing workflow to reduce the attack surface on a workflow that holds elevated credentials (MY_RELEASE_PLEASE_TOKEN, CARGO_REGISTRY_TOKEN). The publish-cli.yml workflow already has no cache steps, so no other files needed updating.

• The removed rust-cache step used save-if: false, meaning it was read-only and only consumed cached artifacts — removing it means the release-plz job now builds from scratch on every run, trading speed for a narrower trust boundary on the publishing path.

Confidence Score: 5/5

Safe to merge — the change removes a single read-only cache step from the publishing workflow without touching any build logic or credentials handling.

A single cache step is deleted. The removed step used save-if: false so it never wrote anything; its only effect was warming build times. The remaining workflow is unchanged and the elevated secrets are not affected. No logic is altered, no side effects are introduced, and the other publishing workflow (publish-cli.yml) already had no cache steps.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release-plz.yml	Removes Swatinem/rust-cache step — straightforward security hardening with no functional side effects beyond slower cold builds.

_{Reviews (1): Last reviewed commit: "ci: remove caching from publishing workf..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.94%. Comparing base (386df55) to head (a86d133).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #630   +/-   ##
=======================================
  Coverage   78.94%   78.94%           
=======================================
  Files          49       49           
  Lines        7284     7284           
  Branches     7284     7284           
=======================================
  Hits         5750     5750           
  Misses       1147     1147           
  Partials      387      387           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.