From d033582c8efe35f87f91f8eef193084291a1d914 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@penumbralabs.xyz>
Date: Tue, 7 Jan 2025 12:46:29 -0800
Subject: [PATCH] build: publish workspace to crates.io

We want all the crates Penumbra protocol workspace to be published to
crates.io, so that external developers can depend on them in downstream
projects. For now, we'll skip doing so for the binaries, but we can
circle back on them.

The major obstacle is that the `penumbra-sdk-proof-params` create
contains binary keyfiles, which are managed in git-lfs. We cannot upload
the raw keyfiles to crates.io, because that'd result in a 100MB crate.
Instead, we use a custom script to revert the binary keyfiles to
plaintext lfs pointers immediately prior to publishing to crates.io,
which stays under the limit, and allows third-party tools to opt into
downloading the key material via the `download-proving-keys` feature.

The ratelimit of "20s" between crates publishing has been working
reliably when publishing alpha versions (i.e. an HTTP 429 is avoided).
Publishing all crates takes ~12m.

This commit also condenses several "alpha" series releases, culminating
in `0.82.0-alpha.15`. Most of these versions have been published to
crates.io, to evaluate CI behavior on publishing crates.

build: warn-only if download-proving-keys not set

The goal is to warn if keys are not set, but still permit the build.
---
 Cargo.lock                               | 106 ++++++++-------
 Cargo.toml                               |  76 ++++++-----
 crates/bench/Cargo.toml                  |   1 +
 crates/bin/pcli/Cargo.toml               |   2 +-
 crates/bin/pclientd/Cargo.toml           |   4 +
 crates/bin/pd/Cargo.toml                 |   8 +-
 crates/bin/pindexer/Cargo.toml           |   5 +-
 crates/bin/pmonitor/Cargo.toml           |   7 +-
 crates/core/app-tests/Cargo.toml         |   2 +-
 crates/core/app-tests/src/lib.rs         |   2 +
 crates/core/app/Cargo.toml               |  11 +-
 crates/crypto/proof-params/Cargo.toml    |   9 +-
 crates/crypto/proof-params/build.rs      | 157 ++++++++++++++++-------
 crates/custody/Cargo.toml                |   2 +-
 crates/misc/measure/Cargo.toml           |   1 +
 crates/misc/tct-visualize/Cargo.toml     |   1 +
 crates/test/tct-property-test/Cargo.toml |   1 +
 deployments/scripts/publish-crates       |  72 +++++++++++
 flake.nix                                |   2 +-
 tools/parameter-setup/Cargo.toml         |   2 +-
 tools/summonerd/Cargo.toml               |   5 +-
 21 files changed, 313 insertions(+), 163 deletions(-)
 create mode 100644 crates/core/app-tests/src/lib.rs
 create mode 100755 deployments/scripts/publish-crates

diff --git a/Cargo.lock b/Cargo.lock
index 6cf18dc7e0..3a109fa3f2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1319,7 +1319,7 @@ dependencies = [
 
 [[package]]
 name = "cnidarium-component"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1357,7 +1357,7 @@ dependencies = [
 
 [[package]]
 name = "cometindex"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1731,7 +1731,7 @@ dependencies = [
 
 [[package]]
 name = "decaf377-fmd"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "ark-ff",
  "ark-serialize",
@@ -1746,7 +1746,7 @@ dependencies = [
 
 [[package]]
 name = "decaf377-frost"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -1761,7 +1761,7 @@ dependencies = [
 
 [[package]]
 name = "decaf377-ka"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "ark-ff",
  "decaf377",
@@ -4373,7 +4373,7 @@ dependencies = [
 
 [[package]]
 name = "pcli"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -4456,7 +4456,7 @@ dependencies = [
 
 [[package]]
 name = "pclientd"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "assert_cmd",
@@ -4509,7 +4509,7 @@ dependencies = [
 
 [[package]]
 name = "pd"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -4664,18 +4664,16 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-app"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
  "async-trait",
- "axum-server",
  "base64 0.21.7",
  "bech32",
  "bincode",
  "bitvec",
  "blake2b_simd 1.0.2",
- "camino",
  "cfg-if",
  "cnidarium",
  "cnidarium-component",
@@ -4704,9 +4702,6 @@ dependencies = [
  "penumbra-sdk-governance",
  "penumbra-sdk-ibc",
  "penumbra-sdk-keys",
- "penumbra-sdk-mock-client",
- "penumbra-sdk-mock-consensus",
- "penumbra-sdk-mock-tendermint-proxy",
  "penumbra-sdk-num",
  "penumbra-sdk-proof-params",
  "penumbra-sdk-proto",
@@ -4714,7 +4709,6 @@ dependencies = [
  "penumbra-sdk-shielded-pool",
  "penumbra-sdk-stake",
  "penumbra-sdk-tct",
- "penumbra-sdk-test-subscriber",
  "penumbra-sdk-tower-trace",
  "penumbra-sdk-transaction",
  "penumbra-sdk-txhash",
@@ -4751,7 +4745,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-app-tests"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -4841,7 +4835,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-asset"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -4881,7 +4875,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-auction"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -4936,7 +4930,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-auto-https"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "axum-server",
@@ -4948,7 +4942,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-bench"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-bls12-377",
@@ -4992,7 +4986,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-community-pool"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5024,7 +5018,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-compact-block"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5059,7 +5053,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-custody"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "argon2",
@@ -5095,7 +5089,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-dex"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5157,7 +5151,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-distributions"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5175,7 +5169,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-eddy"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5193,7 +5187,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-fee"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5220,7 +5214,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-funding"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5243,7 +5237,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-governance"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5297,7 +5291,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-ibc"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5334,7 +5328,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-keys"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "aes",
  "anyhow",
@@ -5381,7 +5375,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-measure"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "assert_cmd",
@@ -5403,7 +5397,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-mock-client"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "cnidarium",
@@ -5420,7 +5414,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-mock-consensus"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "bytes",
@@ -5440,7 +5434,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-mock-tendermint-proxy"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "hex",
  "pbjson-types",
@@ -5455,7 +5449,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-num"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5492,7 +5486,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-parameter-setup"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "ark-groth16",
  "ark-serialize",
@@ -5509,7 +5503,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-proof-params"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ec",
@@ -5537,7 +5531,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-proof-setup"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ec",
@@ -5564,7 +5558,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-proto"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -5599,7 +5593,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-sct"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5635,7 +5629,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-shielded-pool"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5689,7 +5683,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-stake"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5742,7 +5736,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-tct"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "ark-ed-on-bls12-377",
  "ark-ff",
@@ -5774,7 +5768,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-tct-property-test"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "futures",
@@ -5786,7 +5780,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-tct-visualize"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "axum",
@@ -5817,7 +5811,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-tendermint-proxy"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "chrono",
@@ -5849,7 +5843,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-test-subscriber"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "tracing",
  "tracing-subscriber 0.3.18",
@@ -5857,7 +5851,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-tower-trace"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "futures",
  "hex",
@@ -5878,7 +5872,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-transaction"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-ff",
@@ -5933,7 +5927,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-txhash"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "blake2b_simd 1.0.2",
@@ -5946,7 +5940,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-view"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-std",
@@ -6005,7 +5999,7 @@ dependencies = [
 
 [[package]]
 name = "penumbra-sdk-wallet"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-std",
@@ -6091,7 +6085,7 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
 [[package]]
 name = "pindexer"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "chrono",
@@ -6187,7 +6181,7 @@ dependencies = [
 
 [[package]]
 name = "pmonitor"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "assert_cmd",
@@ -8013,7 +8007,7 @@ checksum = "734676eb262c623cec13c3155096e08d1f8f29adce39ba17948b18dad1e54142"
 
 [[package]]
 name = "summonerd"
-version = "0.82.0-alpha.3"
+version = "0.82.0-alpha.15"
 dependencies = [
  "anyhow",
  "ark-groth16",
diff --git a/Cargo.toml b/Cargo.toml
index 9769a78f96..ab7799b8de 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -95,17 +95,22 @@ tag-name = "v{{version}}"
 # The message is required for an annotated tag to be created.
 tag-message                = "Penumbra version {{version}}"
 pre-release-commit-message = "chore: release version {{version}}"
-# Don't push to crates.io; we're still using git branches for velocity.
+# Permit publishing to crates.io; local developers should run `cargo release --no-publish`
+# to prepare the git info, then pushing to remote with tag will trigger crates.io publication.
 publish = true
 # Do commit, tag, and push the version bump, triggering a new release.
 tag = true
 # Don't push, since we're still evaluating the new release workflow.
 push = false
+# Edit each crate's Cargo.toml, bumping versions for other workspace crates.
+dependent-version = "upgrade"
+# Increase default ratelimit on publishing packages
+rate-limit = { existing-packages = 50 }
 
 [workspace.package]
 authors    = ["Penumbra Labs <team@penumbralabs.xyz"]
 edition    = "2021"
-version    = "0.82.0-alpha.3"
+version    = "0.82.0-alpha.15"
 repository = "https://github.com/penumbra-zone/penumbra"
 homepage   = "https://penumbra.zone"
 license    = "MIT OR Apache-2.0"
@@ -137,12 +142,12 @@ chacha20poly1305                 = { version = "0.9.0" }
 chrono                           = { default-features = false, version = "0.4" }
 clap                             = { version = "3.2" }
 cnidarium                        = { version = "0.82.1", default-features = false}
-cnidarium-component              = { default-features = false, version = "0.82.0-alpha.0", path = "crates/cnidarium-component" }
-cometindex                       = { version = "0.82.0-alpha.0", path = "crates/util/cometindex" }
+cnidarium-component              = { default-features = false, version = "0.82.0-alpha.15", path = "crates/cnidarium-component" }
+cometindex                       = { version = "0.82.0-alpha.15", path = "crates/util/cometindex" }
 criterion                        = { version = "0.4" }
 decaf377                         = { default-features = false, version = "0.10.1" }
-decaf377-fmd                     = { version = "0.82.0-alpha.0", path = "crates/crypto/decaf377-fmd" }
-decaf377-ka                      = { version = "0.82.0-alpha.0", path = "crates/crypto/decaf377-ka" }
+decaf377-fmd                     = { version = "0.82.0-alpha.15", path = "crates/crypto/decaf377-fmd" }
+decaf377-ka                      = { version = "0.82.0-alpha.15", path = "crates/crypto/decaf377-ka" }
 decaf377-rdsa                    = { version = "0.11.0" }
 derivative                       = { version = "2.2" }
 directories                      = { version = "4.0.1" }
@@ -170,35 +175,36 @@ once_cell                        = { version = "1.8" }
 parking_lot                      = { version = "0.12.1" }
 pbjson                           = { version = "0.7.0" }
 pbjson-types                     = { version = "0.7.0" }
-penumbra-sdk-app                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/app" }
-penumbra-sdk-asset                   = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/asset" }
-penumbra-sdk-community-pool          = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/community-pool" }
-penumbra-sdk-compact-block           = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/compact-block" }
-penumbra-sdk-custody                 = { version = "0.82.0-alpha.0", path = "crates/custody" }
-penumbra-sdk-auction                 = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/auction" }
-penumbra-sdk-dex                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/dex" }
-penumbra-sdk-distributions           = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/distributions" }
-penumbra-sdk-fee                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/fee" }
-penumbra-sdk-funding                 = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/funding" }
-penumbra-sdk-governance              = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/governance" }
-penumbra-sdk-ibc                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/ibc" }
-penumbra-sdk-keys                    = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/keys" }
-penumbra-sdk-mock-client             = { version = "0.82.0-alpha.0", path = "crates/test/mock-client" }
-penumbra-sdk-mock-consensus          = { version = "0.82.0-alpha.0", path = "crates/test/mock-consensus" }
-penumbra-sdk-mock-tendermint-proxy   = { version = "0.82.0-alpha.0", path = "crates/test/mock-tendermint-proxy" }
-penumbra-sdk-num                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/num" }
-penumbra-sdk-proof-params            = { default-features = false, version = "0.82.0-alpha.0", path = "crates/crypto/proof-params" }
-penumbra-sdk-proof-setup             = { version = "0.82.0-alpha.0", path = "crates/crypto/proof-setup" }
-penumbra-sdk-proto                   = { default-features = false, version = "0.82.0-alpha.0", path = "crates/proto" }
-penumbra-sdk-sct                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/sct" }
-penumbra-sdk-shielded-pool           = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/shielded-pool" }
-penumbra-sdk-stake                   = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/component/stake" }
-penumbra-sdk-tct                     = { default-features = false, version = "0.82.0-alpha.0", path = "crates/crypto/tct" }
-penumbra-sdk-test-subscriber         = { version = "0.82.0-alpha.0", path = "crates/test/tracing-subscriber" }
-penumbra-sdk-transaction             = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/transaction" }
-penumbra-sdk-txhash                  = { default-features = false, version = "0.82.0-alpha.0", path = "crates/core/txhash" }
-penumbra-sdk-view                    = { version = "0.82.0-alpha.0", path = "crates/view" }
-penumbra-sdk-wallet                  = { version = "0.82.0-alpha.0", path = "crates/wallet" }
+penumbra-sdk-app                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/app" }
+penumbra-sdk-asset                   = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/asset" }
+penumbra-sdk-community-pool          = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/community-pool" }
+penumbra-sdk-compact-block           = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/compact-block" }
+penumbra-sdk-custody                 = { version = "0.82.0-alpha.15", path = "crates/custody" }
+penumbra-sdk-auction                 = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/auction" }
+penumbra-sdk-dex                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/dex" }
+penumbra-sdk-distributions           = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/distributions" }
+penumbra-sdk-fee                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/fee" }
+penumbra-sdk-funding                 = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/funding" }
+penumbra-sdk-governance              = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/governance" }
+penumbra-sdk-ibc                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/ibc" }
+penumbra-sdk-keys                    = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/keys" }
+penumbra-sdk-mock-client             = { version = "0.82.0-alpha.15", path = "crates/test/mock-client" }
+penumbra-sdk-mock-consensus          = { version = "0.82.0-alpha.15", path = "crates/test/mock-consensus" }
+penumbra-sdk-mock-tendermint-proxy   = { version = "0.82.0-alpha.15", path = "crates/test/mock-tendermint-proxy" }
+penumbra-sdk-num                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/num" }
+penumbra-sdk-proof-params            = { default-features = false, version = "0.82.0-alpha.15", path = "crates/crypto/proof-params" }
+penumbra-sdk-proof-setup             = { version = "0.82.0-alpha.15", path = "crates/crypto/proof-setup" }
+penumbra-sdk-proto                   = { default-features = false, version = "0.82.0-alpha.15", path = "crates/proto" }
+penumbra-sdk-sct                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/sct" }
+penumbra-sdk-shielded-pool           = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/shielded-pool" }
+penumbra-sdk-stake                   = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/component/stake" }
+penumbra-sdk-tct                     = { default-features = false, version = "0.82.0-alpha.15", path = "crates/crypto/tct" }
+penumbra-sdk-test-subscriber         = { version = "0.82.0-alpha.15", path = "crates/test/tracing-subscriber" }
+penumbra-sdk-tower-trace             = { version = "0.82.0-alpha.15", path = "crates/util/tower-trace" }
+penumbra-sdk-transaction             = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/transaction" }
+penumbra-sdk-txhash                  = { default-features = false, version = "0.82.0-alpha.15", path = "crates/core/txhash" }
+penumbra-sdk-view                    = { version = "0.82.0-alpha.15", path = "crates/view" }
+penumbra-sdk-wallet                  = { version = "0.82.0-alpha.15", path = "crates/wallet" }
 pin-project                      = { version = "1.0.12" }
 pin-project-lite                 = { version = "0.2.9" }
 poseidon377                      = { version = "1.2.0" }
diff --git a/crates/bench/Cargo.toml b/crates/bench/Cargo.toml
index 0698461760..7cbdc8d3a6 100644
--- a/crates/bench/Cargo.toml
+++ b/crates/bench/Cargo.toml
@@ -6,6 +6,7 @@ description = "Benchmarks for Penumbra crates"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
+publish = false
 
 [build-dependencies]
 regex = { version = "1", optional = true }
diff --git a/crates/bin/pcli/Cargo.toml b/crates/bin/pcli/Cargo.toml
index 40f99e6723..3c1ab9a400 100644
--- a/crates/bin/pcli/Cargo.toml
+++ b/crates/bin/pcli/Cargo.toml
@@ -7,7 +7,7 @@ description = "The command-line interface for the Penumbra Zone"
 repository = {workspace = true}
 homepage = {workspace = true}
 license = {workspace = true}
-publish = true
+publish = false
 
 [package.metadata.dist]
 dist = true
diff --git a/crates/bin/pclientd/Cargo.toml b/crates/bin/pclientd/Cargo.toml
index 2ce93e5aae..64d77a8396 100644
--- a/crates/bin/pclientd/Cargo.toml
+++ b/crates/bin/pclientd/Cargo.toml
@@ -6,6 +6,10 @@ description = "Penumbra view server daemon"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
+publish = false
+
+[package.metadata.dist]
+dist = true
 
 [features]
 default = ["std", "download-proving-keys"]
diff --git a/crates/bin/pd/Cargo.toml b/crates/bin/pd/Cargo.toml
index cdd286f2ae..3e292d0dd6 100644
--- a/crates/bin/pd/Cargo.toml
+++ b/crates/bin/pd/Cargo.toml
@@ -7,7 +7,7 @@ description = "The node software for the Penumbra Zone"
 repository = { workspace = true }
 homepage = { workspace = true }
 license = { workspace = true }
-publish = true
+publish = false
 rust-version = "1.75"
 
 [package.metadata.dist]
@@ -61,7 +61,7 @@ once_cell                        = { workspace = true }
 pbjson-types                     = { workspace = true }
 penumbra-sdk-app                     = { workspace = true, default-features = true }
 penumbra-sdk-asset                   = { workspace = true, default-features = true }
-penumbra-sdk-auto-https              = { version = "0.82.0-alpha.0", path = "../../util/auto-https" }
+penumbra-sdk-auto-https              = { version = "0.82.0-alpha.15", path = "../../util/auto-https" }
 penumbra-sdk-compact-block           = { workspace = true, default-features = true }
 penumbra-sdk-custody                 = { workspace = true }
 penumbra-sdk-auction                 = { workspace = true, features = ["parallel"], default-features = true }
@@ -76,8 +76,8 @@ penumbra-sdk-sct                     = { workspace = true, default-features = tr
 penumbra-sdk-shielded-pool           = { workspace = true, features = ["parallel"], default-features = true }
 penumbra-sdk-stake                   = { workspace = true, features = ["parallel"], default-features = true }
 penumbra-sdk-tct                     = { workspace = true, default-features = true }
-penumbra-sdk-tendermint-proxy        = { version = "0.82.0-alpha.0", path = "../../util/tendermint-proxy" }
-penumbra-sdk-tower-trace             = { version = "0.82.0-alpha.0", path = "../../util/tower-trace" }
+penumbra-sdk-tendermint-proxy        = { version = "0.82.0-alpha.15", path = "../../util/tendermint-proxy" }
+penumbra-sdk-tower-trace             = { workspace = true }
 penumbra-sdk-transaction             = { workspace = true, default-features = true }
 pin-project                      = { workspace = true }
 pin-project-lite                 = { workspace = true }
diff --git a/crates/bin/pindexer/Cargo.toml b/crates/bin/pindexer/Cargo.toml
index f51310f243..8fe7fd59f7 100644
--- a/crates/bin/pindexer/Cargo.toml
+++ b/crates/bin/pindexer/Cargo.toml
@@ -7,7 +7,10 @@ edition = { workspace = true }
 repository = { workspace = true }
 homepage = { workspace = true }
 license = { workspace = true }
-publish = true
+publish = false
+
+[package.metadata.dist]
+dist = true
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
diff --git a/crates/bin/pmonitor/Cargo.toml b/crates/bin/pmonitor/Cargo.toml
index d1ed26d9df..6283f53c32 100644
--- a/crates/bin/pmonitor/Cargo.toml
+++ b/crates/bin/pmonitor/Cargo.toml
@@ -7,7 +7,10 @@ edition = { workspace = true }
 repository = { workspace = true }
 homepage = { workspace = true }
 license = { workspace = true }
-publish = true
+publish = false
+
+[package.metadata.dist]
+dist = true
 
 [features]
 integration-testnet = []
@@ -20,7 +23,7 @@ colored = "2.1.0"
 directories = {workspace = true}
 futures = {workspace = true}
 indicatif = {workspace = true}
-pcli = {version = "0.82.0-alpha.0", path = "../pcli", default-features = true}
+pcli = {version = "0.82.0-alpha.15", path = "../pcli", default-features = true}
 penumbra-sdk-app = {workspace = true}
 penumbra-sdk-asset = {workspace = true, default-features = false}
 penumbra-sdk-compact-block = {workspace = true, default-features = false}
diff --git a/crates/core/app-tests/Cargo.toml b/crates/core/app-tests/Cargo.toml
index bb1260d07d..788fdd0ee7 100644
--- a/crates/core/app-tests/Cargo.toml
+++ b/crates/core/app-tests/Cargo.toml
@@ -81,7 +81,7 @@ penumbra-sdk-shielded-pool           = { workspace = true, default-features = fa
 penumbra-sdk-stake                   = { workspace = true, default-features = false }
 penumbra-sdk-tct                     = { workspace = true, default-features = true }
 penumbra-sdk-test-subscriber         = { workspace = true }
-penumbra-sdk-tower-trace             = {  path = "../../util/tower-trace"  }
+penumbra-sdk-tower-trace             = { workspace = true }
 penumbra-sdk-transaction             = { workspace = true, features = ["parallel"], default-features = true }
 penumbra-sdk-txhash                  = { workspace = true, default-features = true }
 prost                            = { workspace = true }
diff --git a/crates/core/app-tests/src/lib.rs b/crates/core/app-tests/src/lib.rs
new file mode 100644
index 0000000000..2e9d2e00e0
--- /dev/null
+++ b/crates/core/app-tests/src/lib.rs
@@ -0,0 +1,2 @@
+//! The `penumbra-sdk-app-tests` crate stores workspace-wide test logic
+//! for the Penumbra app components.
diff --git a/crates/core/app/Cargo.toml b/crates/core/app/Cargo.toml
index 775eb22f8b..79b0015ed8 100644
--- a/crates/core/app/Cargo.toml
+++ b/crates/core/app/Cargo.toml
@@ -76,8 +76,7 @@ penumbra-sdk-sct                     = { workspace = true, default-features = fa
 penumbra-sdk-shielded-pool           = { workspace = true, default-features = false }
 penumbra-sdk-stake                   = { workspace = true, default-features = false }
 penumbra-sdk-tct                     = { workspace = true, default-features = true }
-penumbra-sdk-test-subscriber         = { workspace = true }
-penumbra-sdk-tower-trace             = {  version = "0.82.0-alpha.0", path = "../../util/tower-trace"  }
+penumbra-sdk-tower-trace             = { workspace = true }
 penumbra-sdk-transaction             = { workspace = true, features = ["parallel"], default-features = true }
 penumbra-sdk-txhash                  = { workspace = true, default-features = true }
 prost                            = { workspace = true }
@@ -105,15 +104,9 @@ tracing                          = { workspace = true }
 url                              = { workspace = true }
 
 [dev-dependencies]
-axum-server                      = { workspace = true }
-camino                           = { workspace = true }
 decaf377-fmd                     = { workspace = true, default-features = true }
 ed25519-consensus                = { workspace = true }
-penumbra-sdk-mock-client             = { workspace = true }
-penumbra-sdk-mock-consensus          = { workspace = true }
-penumbra-sdk-proto                   = { workspace = true, features = ["box-grpc"] }
-penumbra-sdk-test-subscriber         = { workspace = true }
-penumbra-sdk-mock-tendermint-proxy   = { workspace = true }
+penumbra-sdk-proto               = { workspace = true, features = ["box-grpc"] }
 rand                             = { workspace = true }
 rand_chacha                      = { workspace = true }
 rand_core                        = { workspace = true }
diff --git a/crates/crypto/proof-params/Cargo.toml b/crates/crypto/proof-params/Cargo.toml
index bdda5add5d..aea09210f6 100644
--- a/crates/crypto/proof-params/Cargo.toml
+++ b/crates/crypto/proof-params/Cargo.toml
@@ -2,11 +2,14 @@
 name = "penumbra-sdk-proof-params"
 authors = {workspace = true}
 repository = {workspace = true}
-description = "Penumbra Proof parameters"
+description = "Penumbra proof parameters"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
-exclude = ["src/gen/*.bin"]
+# We permit inclusion of the `*.bin` files, but including the full binary
+# data would be too large for crates.io, so a custom script converts them
+# to git-lfs pointers, which can be resolved by enabling the `download-proving-keys` feature.
+# exclude = ["src/gen/*.bin"]
 
 [build-dependencies]
 regex = { version = "1", optional = true }
@@ -59,4 +62,4 @@ sha2 = {workspace = true}
 tracing = {workspace = true}
 
 [package.metadata.docs.rs]
-features = ["bundled-proving-keys"] # docs.rs
+features = [] # docs.rs
diff --git a/crates/crypto/proof-params/build.rs b/crates/crypto/proof-params/build.rs
index 57107af3af..bd143d821b 100644
--- a/crates/crypto/proof-params/build.rs
+++ b/crates/crypto/proof-params/build.rs
@@ -1,6 +1,12 @@
-#[cfg(feature = "bundled-proving-keys")]
+//! The Penumbra proving and verification key files are binary
+//! data that must be provided at build time, so that the key material
+//! can be injected into Rust types. The key material is too large, however,
+//! for uploading to crates.io (with the keys the crate weights ~100MB).
+//!
+//! Instead, we'll upload just git raw git-lfs pointer files when publishing to crates.io,
+//! then use the build.rs logic to fetch the assets ahead of compilation. Use the feature
+//! `download-proving-keys` to enable the auto-download behavior.
 use anyhow::Context;
-#[cfg(feature = "bundled-proving-keys")]
 use std::io::Read;
 
 fn main() {
@@ -29,59 +35,116 @@ fn main() {
         println!("cargo:rerun-if-changed={file}");
     }
 
-    #[cfg(feature = "bundled-proving-keys")]
-    {
-        for file in proving_parameter_files {
-            check_proving_key(file)
-                .map_err(|e| format!("error downloading proving key: {e:#}"))
-                .unwrap()
-        }
+    for file in proving_parameter_files {
+        handle_proving_key(file).expect("failed while handling proving keys");
     }
 }
 
-#[cfg(feature = "bundled-proving-keys")]
-/// Check that the proving key is not a Git LFS pointer.
-pub fn check_proving_key(file: &str) -> anyhow::Result<()> {
-    let mut bytes = Vec::new();
-    {
-        let f = std::fs::File::open(file).with_context(|| "can open proving key file")?;
-        let mut reader = std::io::BufReader::new(f);
-        reader
-            .read_to_end(&mut bytes)
-            .with_context(|| "can read proving key file")?;
-    }
-
-    // At build time, we check that the Git LFS pointers to proving keys are resolved.
-    // If the system does _not_ have Git LFS installed, then the files will
-    // exist but they will be tiny pointers. We want to detect this and either
-    // resolve the Git LFS pointers OR panic to alert the user they should install
-    // Git LFS.
-    if bytes.len() < 500 {
-        #[cfg(feature = "download-proving-keys")]
-        {
-            use std::io::Write;
-
-            let pointer =
-                downloads::GitLFSPointer::parse(&bytes[..]).with_context(|| "can parse pointer")?;
-            let downloaded_bytes = pointer
-                .resolve()
-                .with_context(|| "can download proving key")?;
-
-            // Save downloaded bytes to file.
-            let f = std::fs::File::create(file).with_context(|| "can open proving key file")?;
-            let mut writer = std::io::BufWriter::new(f);
-            writer
-                .write_all(&downloaded_bytes[..])
-                .with_context(|| "can write proving key file")?;
-        }
-        #[cfg(not(feature = "download-proving-keys"))]
-        {
+/// Inspect keyfiles, to figure out whether they're git-lfs pointers.
+/// If so, and if the `download-proving-keys` feature is set, then fetch
+/// the key material over the network via Github API. Otherwise, error
+/// out with an informative message.
+fn handle_proving_key(file: &str) -> anyhow::Result<()> {
+    let r = ProvingKeyFilepath::new(file);
+    match r {
+        ProvingKeyFilepath::Present(_f) => {}
+        ProvingKeyFilepath::Absent(f) => {
+            println!(
+                "cargo:warning=proving key file is missing: {} this should not happen",
+                f
+            );
             anyhow::bail!(
-                "proving key is too small; please enable the download-proving-keys feature on the `penumbra-proof-params` crate, adding a direct dependency to enable the feature if necessary."
+                "proving key file not found; at least lfs pointers were expected; path={}",
+                f
+            );
+        }
+        ProvingKeyFilepath::Pointer(f) => {
+            #[cfg(feature = "download-proving-keys")]
+            download_proving_key(&f)?;
+            #[cfg(not(feature = "download-proving-keys"))]
+            println!(
+                "cargo:warning=proving key file is lfs pointer: {} enable 'download-proving-keys' feature to obtain key files",
+                f
             );
         }
     }
+    Ok(())
+}
+
+/// The states that a proving key filepath can be in.
+enum ProvingKeyFilepath {
+    /// The filepath does not exist.
+    ///
+    /// `Absent` is the expected state when building from crates.io,
+    /// because the binary keyfiles are excluded from the crate manifest, due to filesize.
+    /// If the keyfiles were bundled into the crate, it'd be ~100MB, far too large for crates.io.
+    Absent(String),
+
+    /// The filepath was found, but appears to be a git-lfs pointer.
+    ///
+    /// `Pointer` is the expected state when:
+    ///
+    ///   * building from source, via a local git checkout, but without git-lfs being configured;
+    ///   * building from crates.io, because only the git-lfs pointers were uploaded
+    ///
+    /// If the `download-proving-keys` feature is set, then the proving keys will be fetched
+    /// via the Github LFS API and written in place in the source checkout. Otherwise,
+    /// an error is thrown.
+    Pointer(String),
+
+    /// The filepath was found, and appears to be a fully-fleged binary key file.
+    ///
+    /// `Present` is the expected state when building from source, via a local git checkout,
+    /// with git-lfs properly configured.
+    Present(String),
+}
+
+impl ProvingKeyFilepath {
+    fn new(filepath: &str) -> Self {
+        if std::fs::metadata(filepath).is_ok() {
+            let bytes = file_to_bytes(filepath).expect("failed to read filepath as bytes");
+            // If the file is smaller than 500 bytes, we'll assume it's an LFS pointer.
+            if bytes.len() < 500 {
+                ProvingKeyFilepath::Pointer(filepath.into())
+            } else {
+                ProvingKeyFilepath::Present(filepath.into())
+            }
+        } else {
+            ProvingKeyFilepath::Absent(filepath.into())
+        }
+    }
+}
+
+/// Read filepath to byte array.
+fn file_to_bytes(filepath: &str) -> anyhow::Result<Vec<u8>> {
+    let mut bytes = Vec::new();
+    let f = std::fs::File::open(filepath)
+        .with_context(|| "can open proving key file from local source")?;
+    let mut reader = std::io::BufReader::new(f);
+    reader
+        .read_to_end(&mut bytes)
+        .with_context(|| "can read proving key file")?;
+    Ok(bytes)
+}
+
+#[cfg(feature = "download-proving-keys")]
+pub fn download_proving_key(filepath: &str) -> anyhow::Result<()> {
+    use std::io::Write;
+
+    let bytes = file_to_bytes(filepath)?;
+    let pointer =
+        downloads::GitLFSPointer::parse(&bytes[..]).with_context(|| "can parse pointer")?;
+    let downloaded_bytes = pointer
+        .resolve()
+        .with_context(|| "can download proving key from git-lfs")?;
 
+    // Save downloaded bytes to file.
+    let f =
+        std::fs::File::create(filepath).with_context(|| "can open downloaded proving key file")?;
+    let mut writer = std::io::BufWriter::new(f);
+    writer
+        .write_all(&downloaded_bytes[..])
+        .with_context(|| "can write downloaded proving key to local file")?;
     Ok(())
 }
 
diff --git a/crates/custody/Cargo.toml b/crates/custody/Cargo.toml
index 1ff5311d51..8b6f7f45eb 100644
--- a/crates/custody/Cargo.toml
+++ b/crates/custody/Cargo.toml
@@ -17,7 +17,7 @@ blake2b_simd = {workspace = true}
 bytes = {workspace = true, features = ["serde"]}
 chacha20poly1305 = {workspace = true}
 decaf377 = {workspace = true}
-decaf377-frost = { version = "0.82.0-alpha.0", path = "../crypto/decaf377-frost" }
+decaf377-frost = { version = "0.82.0-alpha.15", path = "../crypto/decaf377-frost" }
 decaf377-ka = {workspace = true}
 decaf377-rdsa = {workspace = true}
 ed25519-consensus = {workspace = true}
diff --git a/crates/misc/measure/Cargo.toml b/crates/misc/measure/Cargo.toml
index 9610985bda..60cb71f17e 100644
--- a/crates/misc/measure/Cargo.toml
+++ b/crates/misc/measure/Cargo.toml
@@ -6,6 +6,7 @@ description = "A benchmark tool for Penumbra RPCs"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
+publish = false
 
 [package.metadata.dist]
 dist = false
diff --git a/crates/misc/tct-visualize/Cargo.toml b/crates/misc/tct-visualize/Cargo.toml
index 1f8ee7e1c7..888c7c998d 100644
--- a/crates/misc/tct-visualize/Cargo.toml
+++ b/crates/misc/tct-visualize/Cargo.toml
@@ -6,6 +6,7 @@ description = "Visualize a TCT in action"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
+publish = false
 
 [package.metadata.dist]
 dist = false
diff --git a/crates/test/tct-property-test/Cargo.toml b/crates/test/tct-property-test/Cargo.toml
index f554a62657..ba03f0ae07 100644
--- a/crates/test/tct-property-test/Cargo.toml
+++ b/crates/test/tct-property-test/Cargo.toml
@@ -6,6 +6,7 @@ description = "Property testing for the TCT, as a library"
 version = {workspace = true}
 license = {workspace = true}
 edition = {workspace = true}
+publish = false
 
 [dev-dependencies]
 anyhow = {workspace = true}
diff --git a/deployments/scripts/publish-crates b/deployments/scripts/publish-crates
new file mode 100755
index 0000000000..f3e68fb53c
--- /dev/null
+++ b/deployments/scripts/publish-crates
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Utility script to automate publishing the workspace packages to crates.io
+# Requires:
+#
+#   1. `cargo-release` (present in nix env)
+#   2. env var CARGO_REGISTRY_TOKEN with sufficient rights
+#
+# The major contribution of this script is that it will munge the binary
+# proving keys from the `penumbra-sdk-proof-params` crate to be text-only
+# Git LFS pointers, rather than the full binary files. We do this so that
+# publishing the `proof-params` crate to crates.io doesn't exceed the filesize
+# limit for crates (with binary data it'd be ~100MB).
+#
+# If we simply omit the `src/gen/*.bin` files from the crates.io upload, then
+# the build.rs logic for downloading key contents by resolving git-lfs pointers
+# can't work, because they won't have hashes to identify or verify the downloads.
+#
+# This script assumes that a developer has already bumped the requisite version,
+# by running:
+#
+#   cargo release --no-publish $VERSION --execute
+#
+# Then the resulting commits and tags can be pushed to the repo, which will trigger
+# the running of this script.
+set -euo pipefail
+
+
+# Check deps
+if ! hash cargo-release > /dev/null 2>&1 ; then
+  >&2 echo "ERROR: cargo-release not found on PATH"
+  exit 1
+fi
+
+if [[ -z "${CARGO_REGISTRY_TOKEN:-}" ]] ; then
+  >&2 echo "ERROR: CARGO_REGISTRY_TOKEN not set"
+  exit 2
+fi
+
+# Retrieve workspace-wide version from the top-level Cargo.toml.
+target_version="$(toml get Cargo.toml workspace.package.version -r)"
+
+# Check for local changes to working tree, and error out if any.
+# Normally `cargo-release` would check for this itself, but since
+# we munge the git-lfs pointers for the `proof-params` crate
+# to stay under the size limits for crates.io, we must skip verification
+# via cargo-release.
+s="$(git status --porcelain)"
+if [[ -n "$s" ]]; then
+  >&2 echo "ERROR: found modified files that should be committed:"
+  >&2 echo "$s"
+  git diff | head -n 128
+  exit 1
+fi
+
+# Swap out the full binary contents for the raw git-lfs pointers; suggestion via
+# https://github.com/git-lfs/git-lfs/issues/951#issuecomment-581477084
+# This is a destructive action! Which is why we checked for dirty tree above.
+git read-tree HEAD && GIT_LFS_SKIP_SMUDGE=1 git checkout -f HEAD
+
+# Restore the full binary contents on exit, so the script doesn't have lasting side-effects.
+trap 'git lfs pull' EXIT
+
+# Slow down the crate publishing, to avoid hitting a 429 ratelimit.
+# Normally the per-crate compilation checks would slow things down enough,
+# but we skip those.
+export PUBLISH_GRACE_SLEEP="20"
+
+>&2 echo "Publishing crate versions '$target_version' to crates.io..."
+# Run the publish command.
+# Uses `--no-verify` because the git-lfs munging will trigger a dirty build for `pd`,
+# complaining about its asset zipfiles being pointers.
+cargo release publish --execute --no-verify --no-confirm
diff --git a/flake.nix b/flake.nix
index e4ad017140..fca7ebef1d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,7 +13,6 @@
     };
     crane = {
       url = "github:ipetkov/crane";
-      inputs = { nixpkgs.follows = "nixpkgs"; };
     };
   };
 
@@ -174,6 +173,7 @@
               rocksdb
               rsync
               sqlfluff
+              toml-cli
             ];
             shellHook = ''
               export LIBCLANG_PATH=${LIBCLANG_PATH}
diff --git a/tools/parameter-setup/Cargo.toml b/tools/parameter-setup/Cargo.toml
index 4d0abf0f4d..4f9cf821f0 100644
--- a/tools/parameter-setup/Cargo.toml
+++ b/tools/parameter-setup/Cargo.toml
@@ -5,9 +5,9 @@ authors = { workspace = true }
 edition = { workspace = true }
 homepage = { workspace = true }
 license = { workspace = true }
-publish = true
 repository = { workspace = true }
 version = { workspace = true }
+publish = false
 
 [dependencies]
 ark-groth16 = { workspace = true }
diff --git a/tools/summonerd/Cargo.toml b/tools/summonerd/Cargo.toml
index 364e8af565..adec450f06 100644
--- a/tools/summonerd/Cargo.toml
+++ b/tools/summonerd/Cargo.toml
@@ -7,9 +7,12 @@ description = "Coordination node for summoning ceremony"
 repository = {workspace = true}
 homepage = {workspace = true}
 license = {workspace = true}
-publish = true
+publish = false
 rust-version = "1.65"
 
+[package.metadata.dist]
+dist = true
+
 [dependencies]
 anyhow = {workspace = true}
 ark-groth16 = {workspace = true}