5

[RAprogramm]

Closes #5

What

Reworks .github/workflows/release-plz.yml for a production-grade release pipeline:

• crates.io Trusted Publishing (OIDC). rust-lang/crates-io-auth-action mints a short-lived registry token; the release job gets id-token: write. No more static CRATES_IO_TOKEN secret.
• GitHub App token for the release PR. actions/create-github-app-token generates a token for the release-pr command, so ci.yml actually runs on the release PR (the default GITHUB_TOKEN cannot trigger workflows).
• release Environment. The publish job runs under a release environment for a required-reviewer protection gate.
• Minimal permissions. Top-level contents: read default; per-job permissions tightened (release-plz-pr no longer needs write — the App token carries those scopes).

Required before merge (repo owner)

Merging this without the setup below will break the release workflow.

• crates.io: configure Trusted Publishing for timeweb-rs — repo RAprogramm/timeweb-rs, workflow release-plz.yml, environment release.
• Create a GitHub App (Contents: write, Pull requests: write), install it on this repo, add secrets RELEASE_PLZ_APP_ID and RELEASE_PLZ_APP_PRIVATE_KEY.
• Create the release Environment with a required-reviewer rule.

After merge

• Delete the now-unused CRATES_IO_TOKEN secret once a release is verified.

Out of scope

Repo-wide SHA-pinning of third-party actions — tracked separately.