fix: use CARGO_REGISTRY_TOKEN env var in release workflow

[ElFantasma]

Summary

• Replace deprecated cargo publish --token with CARGO_REGISTRY_TOKEN environment variable
• Fixes authentication warnings in release workflow

Test plan

• Verify release workflow uses env var on next publish

[github-actions]

🤖 Kimi Code Review

Review of PR #161

This PR updates the release workflow to use environment variables for the crates.io token instead of passing it as a command-line argument.

Security Improvements ✅

• Line 20, 34, 48: Moving the token from command-line arguments to environment variables is a good security practice. This prevents the token from appearing in process listings or shell history.

Code Quality & Best Practices

1. Duplicated Logic ⚠️

   • The same pattern is repeated 3 times (lines 19-28, 33-42, 47-56). Consider extracting this into a reusable action or script to reduce duplication and maintenance burden.

2. Race Condition Mitigation ✅

   • The 30-second sleep between publishes (lines 30, 44) is reasonable for allowing crates.io to process the previous publish before dependencies are checked.

3. Error Handling ✅

   • The grep check for "already exists" provides graceful handling of duplicate publish attempts.

Suggestions

1. Use a matrix strategy to reduce duplication:

   strategy:
     matrix:
       package: [spawned-macros, spawned-rt, spawned-concurrency]

2. Consider using cargo-workspaces or similar tools to manage the publish order and dependencies more elegantly.

The changes are minimal and focused, improving security without introducing any regressions. The PR looks good to merge.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

No blocking findings in this PR.

cargo publish now reads the token from CARGO_REGISTRY_TOKEN instead of --token, which is the preferred pattern and avoids exposing secrets in command args:

• .github/workflows/release.yaml:20
• .github/workflows/release.yaml:36
• .github/workflows/release.yaml:52

Notes:

• No actor-runtime, lifecycle, cancellation, timer, or message-passing code changed in this diff, so those framework-specific risks are not affected by this PR.
• Existing grep -q "already exists" handling is brittle to Cargo wording changes, but that behavior predates this PR.

---

Automated review by OpenAI Codex · custom prompt

[github-actions]

🤖 Claude Code Review

PR #161 Review: fix: use CARGO_REGISTRY_TOKEN env var in release workflow

State: Merged | Changes: +9/-3 in .github/workflows/release.yaml

---

Summary

This is a CI/workflow-only change. No Rust actor framework code is modified.

What Changed

Each of the three cargo publish steps was updated to:

1. Remove --token ${{ secrets.CRATES_IO_TOKEN }} from the CLI invocation
2. Set CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} as an environment variable on each step

---

Assessment: Correct and Safe

Correctness: The change is correct. cargo publish --token was deprecated in favor of the CARGO_REGISTRY_TOKEN environment variable. The standard env var is the idiomatic approach for CI/CD pipelines and aligns with current Cargo documentation.

Security: Setting the token as an env var scoped to each step is marginally better than embedding it in a shell command, since tokens passed as CLI arguments can appear in process listings (ps aux). The scope is appropriately minimal — each step only has the env var it needs.

Consistency: All three publish steps (spawned-macros, spawned-rt, spawned-concurrency) are updated uniformly.

Error handling: The existing grep -q "already exists" idempotency guard is preserved correctly in all three steps.

---

Minor Observation

The CARGO_REGISTRY_TOKEN env var could alternatively be set once at the job level to reduce duplication, but per-step scoping is equally valid and arguably more explicit. No action required.

---

Verdict: Clean, correct change. No issues.

---

Automated review by Claude (Anthropic) · custom prompt

[greptile-apps]

Greptile Summary

This PR replaces the deprecated --token CLI flag on cargo publish with the CARGO_REGISTRY_TOKEN environment variable, which is the recommended way for Cargo to receive registry credentials. The change is applied consistently across all three publish steps (spawned-macros, spawned-rt, spawned-concurrency), with the secret scoped at the individual step level rather than the job level — a marginally tighter security posture since the token is only exposed during the actual publish commands.

Key changes:

• Removes --token ${{ secrets.CRATES_IO_TOKEN }} from each cargo publish invocation
• Adds a per-step env: CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} block to each publish step
• No changes to error-handling logic, package targets, or the underlying secret being used

Confidence Score: 5/5

• This PR is safe to merge; it is a straightforward, non-breaking migration to the recommended Cargo authentication method.
• The change is minimal and well-understood: CARGO_REGISTRY_TOKEN is Cargo's official env var for registry authentication, the underlying secret is unchanged, and the error-handling logic is untouched. No logic paths are altered.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release.yaml	Replaces deprecated --token CLI flag with the CARGO_REGISTRY_TOKEN env var (scoped per publish step) for each of the three crates publish steps; logic and secret source are unchanged.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([Release Published]) --> B[Checkout Code]
    B --> C[Set Up Rust Toolchain]
    C --> D["Publish spawned-macros\nenv: CARGO_REGISTRY_TOKEN"]
    D -- success --> E[Wait 30s for crates.io indexing]
    D -- already exists --> E
    D -- other error --> F([Exit 1])
    E --> G["Publish spawned-rt\nenv: CARGO_REGISTRY_TOKEN"]
    G -- success --> H[Wait 30s for crates.io indexing]
    G -- already exists --> H
    G -- other error --> I([Exit 1])
    H --> J["Publish spawned-concurrency\nenv: CARGO_REGISTRY_TOKEN"]
    J -- success --> K([Done])
    J -- already exists --> K
    J -- other error --> L([Exit 1])

Loading

_{Last reviewed commit: b794182}