From 9a93010fcfc5cb73421120d2eece02b33b4238fc Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 26 May 2026 14:12:25 +0000 Subject: [PATCH 1/3] ci: publish to crates.io via trusted publishing Replace the static CRATE_AUTH_TOKEN secret with OIDC-based Trusted Publishing using rust-lang/crates-io-auth-action, which exchanges a short-lived token at publish time instead of storing a long-lived credential in the repository. https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m --- .github/workflows/deploy.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 8c6762f9..09b44482 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -469,6 +469,9 @@ jobs: runs-on: ubuntu-latest + permissions: + id-token: write # needed for crates.io Trusted Publishing + steps: - uses: actions/checkout@v6 @@ -479,11 +482,14 @@ jobs: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > $installer bash $installer --default-toolchain $(cat rust-toolchain) -y - - name: Login - run: cargo login ${{ secrets.CRATE_AUTH_TOKEN }} + - name: Authenticate with crates.io + id: auth + uses: rust-lang/crates-io-auth-action@v1 - name: Publish run: cargo publish + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} competing_benchmark: name: Benchmark From 12760591625c795bc897a3749aed38e946875d42 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 26 May 2026 14:30:12 +0000 Subject: [PATCH 2/3] ci: scope crate publishing to a protected environment Bind the publish job to a "release" GitHub Actions environment so that environment protection rules, such as required reviewers, gate the issuance of the crates.io Trusted Publishing token. https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 09b44482..6f0982de 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -469,6 +469,8 @@ jobs: runs-on: ubuntu-latest + environment: release + permissions: id-token: write # needed for crates.io Trusted Publishing From cdb7238ab15e2a374dd025087d5ecc8a4579f222 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 26 May 2026 14:41:00 +0000 Subject: [PATCH 3/3] ci: grant contents:read to the publish job Specifying a job-level permissions block resets every unlisted scope to none. Restore the contents:read access that actions/checkout relies on, matching the build jobs in this workflow. https://claude.ai/code/session_013tt2ucFPTnTnGGM1RLG19m --- .github/workflows/deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 6f0982de..caeef8d7 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -472,6 +472,7 @@ jobs: environment: release permissions: + contents: read id-token: write # needed for crates.io Trusted Publishing steps: