chore(github): use trusted publishing

jvatic · jvatic · commit 15dfed55751b · 2025-08-14T09:20:26.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -215,6 +215,9 @@ jobs:
     name: Publish to crates.io
     needs: create-release
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # Required for OIDC token exchange with crates.io
 
     steps:
       - uses: actions/checkout@v4
@@ -234,10 +237,14 @@ jobs:
           fi
           echo "CARGO_VERSION=$CARGO_VERSION" >> $GITHUB_ENV
 
+      - name: Authenticate with crates.io
+        uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+
       - name: Publish to crates.io
         run: |
           # Try to publish, but don't fail if the version already exists
-          cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} --verbose || {
+          cargo publish --verbose || {
             EXIT_CODE=$?
             # Check if it failed because the version already exists
             cargo search sql-schema --limit 1 | grep -q "sql-schema = \"$CARGO_VERSION\"" && {
@@ -248,4 +255,4 @@ jobs:
             exit $EXIT_CODE
           }
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
