Skip to content

Commit 11ded9b

Browse files
joshwilhelmiclaude
andcommitted
[gobby-cli-#962] ci: publish gwiki via CARGO_REGISTRY_TOKEN, not Trusted Publishing
release-gwiki.yml's publish job used GitHub OIDC Trusted Publishing (rust-lang/crates-io-auth-action + id-token: write + environment: crates-io), but crates.io has no Trusted Publishing config registered for gobby-wiki, and that config can only be created in the crates.io web UI, not via the CLI — so the gwiki-v0.6.5 publish failed with "No Trusted Publishing config found for repository GobbyAI/gobby-cli". Switch gwiki to the same static CARGO_REGISTRY_TOKEN secret that already ships gobby-core, gcode, and ghook to the registry. Drop the OIDC auth step, the id-token permission, and the crates-io environment. Update the release guide accordingly. Validated with actionlint. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 464d287 commit 11ded9b

2 files changed

Lines changed: 8 additions & 13 deletions

File tree

.github/workflows/release-gwiki.yml

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -326,8 +326,6 @@ jobs:
326326
runs-on: ubuntu-latest
327327
permissions:
328328
contents: read
329-
id-token: write # Required for crates.io trusted publishing via GitHub OIDC.
330-
environment: crates-io
331329

332330
steps:
333331
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
@@ -355,7 +353,7 @@ jobs:
355353
echo "gobby-wiki ${version} not on crates.io (HTTP 404); will publish."
356354
echo "skip=false" >> "$GITHUB_OUTPUT"
357355
elif [ "$code" = "403" ]; then
358-
echo "::error::crates.io denied version check for gobby-wiki ${version}: HTTP 403 (curl exit ${curl_status}). Verify registry access and trusted publishing permissions." >&2
356+
echo "::error::crates.io denied version check for gobby-wiki ${version}: HTTP 403 (curl exit ${curl_status}). Verify registry access." >&2
359357
exit 1
360358
elif [ "$curl_status" -ne 0 ]; then
361359
echo "::error::crates.io version check failed (curl exit ${curl_status}, HTTP ${code:-unknown})." >&2
@@ -365,16 +363,11 @@ jobs:
365363
exit 1
366364
fi
367365
368-
- name: Authenticate to crates.io
369-
id: auth
370-
if: steps.published.outputs.skip != 'true'
371-
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe
372-
373366
- name: Publish gobby-wiki to crates.io
374367
if: steps.published.outputs.skip != 'true'
375368
env:
376-
CRATES_IO_TOKEN: ${{ steps.auth.outputs.token }}
377-
run: cargo publish -p gobby-wiki --locked --token "$CRATES_IO_TOKEN"
369+
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
370+
run: cargo publish -p gobby-wiki --locked
378371

379372
release:
380373
needs: [build, publish]

docs/guides/release-guide.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -57,9 +57,11 @@ fires no event.
5757
The release workflows verify binary crate tag/version alignment where the
5858
installer expects GitHub assets. `gobby-core` has no binary artifact matrix.
5959

60-
The `gwiki` crates.io publish uses Trusted Publishing in the GitHub environment
61-
`crates-io`. The workflow obtains an OIDC token during the publish job, so no
62-
crates.io API token secret is needed for that release.
60+
All four crates publish to crates.io with the repository `CARGO_REGISTRY_TOKEN`
61+
secret via `cargo publish` (which reads the token from the environment). `gwiki`
62+
previously used GitHub OIDC Trusted Publishing, but that path needs a
63+
crates.io-side config that cannot be registered from the CLI, so its publish job
64+
now matches `gcode`/`ghook`/`gobby-core`.
6365

6466
## Local Install Check
6567

0 commit comments

Comments
 (0)