Skip to content

ci: use crates.io trusted publishing#105

Merged
dhth merged 1 commit into
mainfrom
use-crates-io-trusted-publishing
May 16, 2026
Merged

ci: use crates.io trusted publishing#105
dhth merged 1 commit into
mainfrom
use-crates-io-trusted-publishing

Conversation

@dhth
Copy link
Copy Markdown
Owner

@dhth dhth commented May 16, 2026

No description provided.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 16, 2026

📝 Walkthrough

Walkthrough

This PR refactors the crate publishing pipeline from secret-based authentication to GitHub's OIDC token flow. The publish-crates.yml workflow now uses rust-lang/crates-io-auth-action to obtain credentials, wiring the token to CARGO_REGISTRY_TOKEN instead of requiring an explicit secret. The release.yml workflow is reorganized to run custom-publish-crates as an independent job after plan and host, removing its post-announce dependency. The announce job is updated to gate on both custom-publish-crates and other publishing jobs. Finally, dist-workspace.toml is updated to reflect the new job configuration and permissions requirements.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive No description was provided by the author, making it impossible to assess the quality of documentation. Add a PR description explaining the motivation, implementation details, and any breaking changes or migration notes for this security improvement.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The PR title accurately describes the main change: migrating to crates.io trusted publishing instead of token-based authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/publish-crates.yml (1)

13-24: ⚡ Quick win

OIDC trusted publishing setup looks correct.

The workflow correctly uses rust-lang/crates-io-auth-action@v1 for OIDC-based authentication and wires the token to CARGO_REGISTRY_TOKEN. The environment: release is required for trusted publishing.

However, this reusable workflow depends on the caller granting id-token: write permission for OIDC to work. Consider adding a comment documenting this requirement.

📝 Suggested documentation 
 on:
   workflow_call:
+    # NOTE: Caller must grant `id-token: write` permission for OIDC auth
     inputs:
       plan:
         required: true
         type: string
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-crates.yml around lines 13 - 24, Add a short
comment in the workflow near the environment: release or the
rust-lang/crates-io-auth-action@v1 step stating that callers must grant OIDC
id-token: write permission for the reusable workflow to fetch the token; mention
that CARGO_REGISTRY_TOKEN is populated from steps.auth.outputs.token and that
trusted publishing requires environment: release so integrators know to set
permissions in their calling workflow.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish-crates.yml:
- Around line 13-24: Add a short comment in the workflow near the environment:
release or the rust-lang/crates-io-auth-action@v1 step stating that callers must
grant OIDC id-token: write permission for the reusable workflow to fetch the
token; mention that CARGO_REGISTRY_TOKEN is populated from
steps.auth.outputs.token and that trusted publishing requires environment:
release so integrators know to set permissions in their calling workflow.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 72e25643-93a1-4e02-a61e-4618fc99505c

📥 Commits

Reviewing files that changed from the base of the PR and between a637f9e and 712b33d.

📒 Files selected for processing (3)
  • .github/workflows/publish-crates.yml
  • .github/workflows/release.yml
  • dist-workspace.toml

@dhth dhth merged commit 8966661 into main May 16, 2026
15 checks passed
@dhth dhth deleted the use-crates-io-trusted-publishing branch May 16, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dhth