Skip to content

ci(deploy): trusted publishing#423

Merged
KSXGitHub merged 3 commits into
masterfrom
claude/affectionate-babbage-kLc26
May 26, 2026
Merged

ci(deploy): trusted publishing#423
KSXGitHub merged 3 commits into
masterfrom
claude/affectionate-babbage-kLc26

Conversation

@KSXGitHub
Copy link
Copy Markdown
Owner

@KSXGitHub KSXGitHub commented May 26, 2026
edited
Loading

Summary

Switch crates.io publishing from a long-lived API token to Trusted Publishing (OIDC).

  • The publish_cargo_crate job now uses rust-lang/crates-io-auth-action@v1 to exchange a GitHub OIDC token for a short-lived crates.io token at publish time, instead of cargo login with the CRATE_AUTH_TOKEN secret. The token is auto-revoked when the job ends, so no long-lived credential lives in the repository.
  • The job is bound to a release GitHub Actions environment so environment protection rules (e.g. required reviewers, tag restrictions) gate token issuance.

https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m

claude added 2 commits May 26, 2026 14:12
@claude
ci: publish to crates.io via trusted publishing
9a93010 
Replace the static CRATE_AUTH_TOKEN secret with OIDC-based Trusted
Publishing using rust-lang/crates-io-auth-action, which exchanges a
short-lived token at publish time instead of storing a long-lived
credential in the repository.

https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m
@claude
ci: scope crate publishing to a protected environment
1276059 
Bind the publish job to a "release" GitHub Actions environment so that
environment protection rules, such as required reviewers, gate the
issuance of the crates.io Trusted Publishing token.

https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m
@KSXGitHub KSXGitHub requested a review from Copilot May 26, 2026 14:33
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026
edited
Loading

Performance Regression Reports

commit: 5d47f68

--quantity=apparent-size --max-depth=1 --min-ratio=0.01
Command Mean [ms] Min [ms] Max [ms] Relative
pdu 102.6 ± 13.5 90.7 125.7 1.12 ± 0.15
pdu-0.20.0 91.4 ± 0.7 90.3 93.6 1.00
Logs 
Benchmark 1: pdu
  Time (mean ± σ):     102.6 ms ±  13.5 ms    [User: 55.6 ms, System: 303.7 ms]
  Range (min … max):    90.7 ms … 125.7 ms    24 runs
 
Benchmark 2: pdu-0.20.0
  Time (mean ± σ):      91.4 ms ±   0.7 ms    [User: 53.8 ms, System: 302.3 ms]
  Range (min … max):    90.3 ms …  93.6 ms    32 runs
 
Summary
  pdu-0.20.0 ran
    1.12 ± 0.15 times faster than pdu
JSON 
{
  "results": [
    {
      "command": "pdu",
      "mean": 0.10259226206500001,
      "stddev": 0.013452636602506271,
      "median": 0.09389166444,
      "user": 0.05555532,
      "system": 0.3037409966666667,
      "min": 0.09067796344,
      "max": 0.12565450444,
      "times": [
        0.12207032144,
        0.12031135144,
        0.12565450444,
        0.09346292544,
        0.09067796344,
        0.09134550644,
        0.09999191944000001,
        0.11308873544,
        0.12054945844,
        0.12043258244,
        0.12149808344,
        0.11837161744000001,
        0.09103491044,
        0.09165617244,
        0.09167835544,
        0.09560288944,
        0.10914684644,
        0.09432040344,
        0.09178537644,
        0.09191376944,
        0.09151997844,
        0.09138879144,
        0.09199317944,
        0.09271864744
      ],
      "exit_codes": [
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0
      ]
    },
    {
      "command": "pdu-0.20.0",
      "mean": 0.09139085787750001,
      "stddev": 0.0006692576150037054,
      "median": 0.09127308694,
      "user": 0.053839601249999994,
      "system": 0.30226958000000004,
      "min": 0.09026682044,
      "max": 0.09358933044000001,
      "times": [
        0.09245852244,
        0.09198947744,
        0.09145360344,
        0.09358933044000001,
        0.09103361244,
        0.09202980844,
        0.09071645644,
        0.09106865444000001,
        0.09090917544,
        0.09118264644,
        0.09096503944,
        0.09132716344,
        0.09180431944,
        0.09143109944,
        0.09109490444,
        0.09102022244,
        0.09132885644,
        0.09152239644,
        0.09122250544,
        0.09152035344000001,
        0.09098172444,
        0.09117418244,
        0.09132366844,
        0.09139203044000001,
        0.09190799544,
        0.09096896444000001,
        0.09037911944,
        0.09026682044,
        0.09122232644,
        0.09148792444,
        0.09288889844,
        0.09084564944
      ],
      "exit_codes": [
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0
      ]
    }
  ]
}

Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release deployment workflow to publish the crate to crates.io via OIDC-based Trusted Publishing, avoiding long-lived registry credentials stored as GitHub secrets.

Changes:

  • Switch crates.io authentication from cargo login with secrets.CRATE_AUTH_TOKEN to rust-lang/crates-io-auth-action@v1.
  • Pass the short-lived crates.io token to cargo publish via CARGO_REGISTRY_TOKEN.
  • Configure the publish job with a release environment and request id-token: write permissions for OIDC.

Comment thread .github/workflows/deploy.yaml
@claude
ci: grant contents:read to the publish job
cdb7238 
Specifying a job-level permissions block resets every unlisted scope to
none. Restore the contents:read access that actions/checkout relies on,
matching the build jobs in this workflow.

https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m
@KSXGitHub KSXGitHub requested a review from Copilot May 26, 2026 14:51
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@KSXGitHub KSXGitHub marked this pull request as ready for review May 26, 2026 14:55
@KSXGitHub KSXGitHub merged commit 3b728c1 into master May 26, 2026
15 of 16 checks passed
@KSXGitHub KSXGitHub deleted the claude/affectionate-babbage-kLc26 branch May 26, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KSXGitHub @claude