From 7f22ff5c3bd72ea31630ef214ca1adccda213814 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 9 May 2026 18:18:43 -0600
Subject: [PATCH] Adopt Trusted Publishin

---
 .github/workflows/publish.yml | 43 +++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..ca902bd4
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,43 @@
+name: Publish to crates.io
+on:
+  push:
+    tags: [
+      "ssh-cipher/v**",
+      "ssh-derive/v**",
+      "ssh-encoding/v**",
+      "ssh-key/v**",
+      "ssh-protocol/v**",
+    ]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
+        id: auth
+
+      - name: Extract Crate Name and Version
+        run: |
+          TAG_NAME="${{ github.ref_name }}"
+          CRATE_NAME=${TAG_NAME%/v**}
+          CRATE_VERSION=${TAG_NAME##*/v}
+          echo $CRATE_NAME $CRATE_VERSION
+          echo "CRATE_NAME=${CRATE_NAME}" >> $GITHUB_ENV
+          echo "CRATE_VERSION=${CRATE_VERSION}" >> $GITHUB_ENV
+
+      - name: Check crate version
+        working-directory: ${{ env.CRATE_NAME }}
+        run: |
+          CRATE_TOML_VERSION=$(grep -m 1 "^version =" Cargo.toml | cut -d'"' -f2)
+          echo $CRATE_TOML_VERSION
+          [[ $CRATE_TOML_VERSION == $CRATE_VERSION ]]
+
+      - name: Publish
+        working-directory: ${{ env.CRATE_NAME }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+        run: cargo publish