From 75d67da9fee3374612a19a834dcc8286f6bcabb6 Mon Sep 17 00:00:00 2001
From: funcpp <48622976+funcpp@users.noreply.github.com>
Date: Wed, 13 May 2026 08:50:18 +0900
Subject: [PATCH] ci: use Trusted Publishing for crates.io instead of
 long-lived token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

crates.io added OIDC Trusted Publishing for GitHub Actions in July 2025.
This brings crates.io in line with PyPI (which the publish-pypi job
already uses) and removes the need to store a CARGO_REGISTRY_TOKEN
secret in the repo — the workflow exchanges a GitHub-issued OIDC token
for a 30-minute crates.io access token at publish time.

Before this can run on a real tag, register the Trusted Publisher on
crates.io: sqllineage crate → Settings → Trusted Publishing → add
GitHub repo funcpp/sqllineage, workflow release.yml, environment
crates-io.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78fbeee..9aa5ca2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -124,9 +124,17 @@ jobs:
     needs: [build, test]
     runs-on: ubuntu-latest
     environment: crates-io
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v6
 
       - uses: dtolnay/rust-toolchain@stable
 
-      - run: cargo publish -p sqllineage --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+
+      - run: cargo publish -p sqllineage
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}