Skip to content

Add OIDC trusted-publishing workflow for crates.io#3

Merged
zbowling merged 1 commit into
mainfrom
feature/publish-workflow
May 22, 2026
Merged

Add OIDC trusted-publishing workflow for crates.io#3
zbowling merged 1 commit into
mainfrom
feature/publish-workflow

Conversation

@zbowling

Copy link
Copy Markdown
Contributor

Adds .github/workflows/publish.yml that publishes clap_types to crates.io whenever a GitHub Release is published from a v* tag. Also exposes a manual workflow_dispatch trigger for one-off publishes.

Authentication

Uses crates.io's trusted publishing via rust-lang/crates-io-auth-action@v1. GitHub Actions presents an OIDC token; crates.io exchanges it for a short-lived publish credential. No long-lived CARGO_REGISTRY_TOKEN secret to rotate or leak.

Required one-time setup on crates.io

Before this workflow can succeed, a maintainer needs to register the trusted publisher on the crate at https://crates.io/crates/clap_types/settings with:

  • Repository owner: facebook
  • Repository name: clap_types
  • Workflow filename: publish.yml
  • Environment (optional): leave blank

Until that's registered, the auth step fails fast with a clear error and the publish never runs.

Trigger model

on:
  release:
    types: [published]
  workflow_dispatch:

Plus a tag-shape guard so a release made against an unrelated tag can't accidentally publish:

if: github.event_name == 'workflow_dispatch' || startsWith(github.event.release.tag_name, 'v')

Release flow

  1. Bump version in Cargo.toml and merge.
  2. Create a GitHub Release with tag vX.Y.Z (matching the Cargo.toml version).
  3. Publishing this Release fires the workflow; it auths via OIDC and runs cargo publish.

Manual fallback: trigger from the Actions tab → Publish to crates.ioRun workflow.

Adds .github/workflows/publish.yml that publishes clap_types to crates.io when a GitHub Release is published from a v* tag. Also exposes a manual workflow_dispatch trigger.

Uses crates.io's OIDC trusted publishing via rust-lang/crates-io-auth-action@v1, so there's no long-lived CARGO_REGISTRY_TOKEN secret to rotate or leak. The trusted publisher needs to be registered on the crate at https://crates.io/crates/clap_types/settings before the workflow can succeed; without it, the auth step fails fast with a clear error and the publish never runs.
Copilot AI review requested due to automatic review settings May 19, 2026 20:23
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label May 19, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions workflow to publish clap_types to crates.io using crates.io trusted publishing via OIDC, fitting into the repository’s release process without requiring a long-lived registry token.

Changes:

  • Adds release and manual workflow triggers for publishing.
  • Grants OIDC permissions and authenticates with rust-lang/crates-io-auth-action.
  • Runs cargo publish using the short-lived token from the auth step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zbowling zbowling merged commit 3535667 into main May 22, 2026
13 checks passed
@zbowling zbowling deleted the feature/publish-workflow branch May 26, 2026 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Meta Open Source bot.

2 participants