ci(release-plz): use crates.io trusted publishing

[jdx]

Summary

• Switch the release-plz workflow to mint a short-lived crates.io token via OIDC using rust-lang/crates-io-auth-action, pinned to v1.0.4.
• Drop the long-lived CARGO_REGISTRY_TOKEN secret reference in favor of the action's outputs.token.
• Add id-token: write to the job permissions so OIDC can sign the token request.

Trusted publishers for fnox and fnox-core are already configured on crates.io against this workflow file.

Notes

• v1.25.0 publish failed under the old token; the tag and GitHub release exist but the crate is not on crates.io. Plan to either publish it manually or skip and let v1.25.1+ be the first OIDC-published release.
• After the next successful publish, the CARGO_REGISTRY_TOKEN repo secret can be deleted.

Test plan

• Merge and confirm the next release-plz run requests an OIDC token and publishes successfully.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes the crates.io publish authentication path in CI by minting an OIDC-based short-lived token, which could break releases if permissions or crates.io trusted publisher config are misaligned.

Overview
Updates the release-plz GitHub Actions workflow to publish to crates.io using trusted publishing.

Adds id-token: write permission, runs rust-lang/crates-io-auth-action to mint a short-lived crates.io token, and switches CARGO_REGISTRY_TOKEN from a long-lived repository secret to the action’s outputs.token.

^{Reviewed by Cursor Bugbot for commit fbdc9fe. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[greptile-apps]

Greptile Summary

This PR migrates crates.io publishing from a long-lived CARGO_REGISTRY_TOKEN repository secret to short-lived OIDC tokens via the rust-lang/crates-io-auth-action, reducing the credential attack surface.

• Adds id-token: write at the workflow level and inserts the crates-io-auth-action step (pinned to a full commit SHA) immediately before the publish step, mapping its output token to CARGO_REGISTRY_TOKEN.

Confidence Score: 5/5

Safe to merge — the change is minimal, the action is pinned to a full commit SHA, and OIDC trusted publishing is strictly more secure than the long-lived token it replaces.

The diff touches a single CI workflow file: it adds the OIDC permission, pins the auth action to a verified commit SHA, and wires its short-lived output token into the existing env var. No application logic changes.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release-plz.yml	Switches crates.io publishing from a long-lived secret token to OIDC short-lived tokens via rust-lang/crates-io-auth-action, pinned to a full commit SHA; adds id-token: write at workflow scope.

_{Reviews (1): Last reviewed commit: "ci(release-plz): use crates.io trusted p..." | Re-trigger Greptile}