Add OIDC trusted-publishing workflow for crates.io#3
Merged
Conversation
Adds .github/workflows/publish.yml that publishes clap_types to crates.io when a GitHub Release is published from a v* tag. Also exposes a manual workflow_dispatch trigger. Uses crates.io's OIDC trusted publishing via rust-lang/crates-io-auth-action@v1, so there's no long-lived CARGO_REGISTRY_TOKEN secret to rotate or leak. The trusted publisher needs to be registered on the crate at https://crates.io/crates/clap_types/settings before the workflow can succeed; without it, the auth step fails fast with a clear error and the publish never runs.
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to publish clap_types to crates.io using crates.io trusted publishing via OIDC, fitting into the repository’s release process without requiring a long-lived registry token.
Changes:
- Adds release and manual workflow triggers for publishing.
- Grants OIDC permissions and authenticates with
rust-lang/crates-io-auth-action. - Runs
cargo publishusing the short-lived token from the auth step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
.github/workflows/publish.ymlthat publishesclap_typesto crates.io whenever a GitHub Release is published from av*tag. Also exposes a manualworkflow_dispatchtrigger for one-off publishes.Authentication
Uses crates.io's trusted publishing via
rust-lang/crates-io-auth-action@v1. GitHub Actions presents an OIDC token; crates.io exchanges it for a short-lived publish credential. No long-livedCARGO_REGISTRY_TOKENsecret to rotate or leak.Required one-time setup on crates.io
Before this workflow can succeed, a maintainer needs to register the trusted publisher on the crate at https://crates.io/crates/clap_types/settings with:
facebookclap_typespublish.ymlUntil that's registered, the auth step fails fast with a clear error and the publish never runs.
Trigger model
Plus a tag-shape guard so a release made against an unrelated tag can't accidentally publish:
Release flow
versioninCargo.tomland merge.vX.Y.Z(matching the Cargo.toml version).cargo publish.Manual fallback: trigger from the Actions tab → Publish to crates.io → Run workflow.