From 611f65eb8eafd34a83486d1972176c6c9012d068 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 5 Mar 2026 22:54:07 +0000
Subject: [PATCH] ci: Add trusted publishing workflow for crates.io

Use the rust-lang/crates-io-auth-action OIDC-based authentication
to publish to crates.io when a version tag (v*) is pushed, removing
the need to manage long-lived API tokens as repository secrets.

See https://crates.io/docs/trusted-publishing

Assisted-by: OpenCode (Claude Opus)
Signed-off-by: Colin Walters <walters@verbum.org>
---
 .github/workflows/cratesio-release.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .github/workflows/cratesio-release.yml

diff --git a/.github/workflows/cratesio-release.yml b/.github/workflows/cratesio-release.yml
new file mode 100644
index 0000000..96568fc
--- /dev/null
+++ b/.github/workflows/cratesio-release.yml
@@ -0,0 +1,17 @@
+# See https://crates.io/docs/trusted-publishing
+name: Publish to crates.io
+on:
+  push:
+    tags: ['v*']  # Triggers when pushing tags starting with 'v'
+jobs:
+  publish:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write     # Required for OIDC token exchange
+    steps:
+    - uses: actions/checkout@v6
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
+    - run: cargo publish
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}