|
13 | 13 | # BEFORE the PR is merged, so a failed publish or failed smoke test |
14 | 14 | # leaves the unmerged PR for cleanup. |
15 | 15 | # |
16 | | -# Authenticates to crates.io with a long-lived API token issued under the |
17 | | -# Crypto Tools CI bot account, stored in the CARGO_REGISTRY_TOKEN repo |
18 | | -# secret and gated by the `crates-io-publish` GitHub environment. |
| 16 | +# Authenticates to crates.io via Trusted Publishing (OIDC): the |
| 17 | +# `rust-lang/crates-io-auth-action` step exchanges the workflow's GitHub |
| 18 | +# OIDC token for a short-lived crates.io token (automatically revoked |
| 19 | +# when the job ends), gated by the `crates-io-publish` GitHub |
| 20 | +# environment. No long-lived crates.io API token is stored in the repo. |
| 21 | +# crates.io must be configured with a Trusted Publisher for this crate |
| 22 | +# pointing at this repo, the `rust-release.yml` workflow, and the |
| 23 | +# `crates-io-publish` environment. |
19 | 24 | name: Rust Release |
20 | 25 |
|
21 | 26 | on: |
@@ -79,11 +84,15 @@ jobs: |
79 | 84 | working-directory: releases/rust/db_esdk |
80 | 85 | run: cargo publish --dry-run |
81 | 86 |
|
| 87 | + - name: Authenticate to crates.io (Trusted Publishing / OIDC) |
| 88 | + id: auth |
| 89 | + uses: rust-lang/crates-io-auth-action@v1 |
| 90 | + |
82 | 91 | - name: Cargo publish |
83 | 92 | shell: bash |
84 | 93 | working-directory: releases/rust/db_esdk |
85 | 94 | env: |
86 | | - CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} |
| 95 | + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} |
87 | 96 | run: cargo publish |
88 | 97 |
|
89 | 98 | - name: Configure AWS Credentials for test_published.sh |
|
0 commit comments