ci: publish to crates.io via trusted publishing (OIDC)

[smorin]

Switches the publish-crates job to crates.io Trusted Publishing (OIDC) — no stored API token.

Changes to the job

• environment: crates (matches the per-crate Trusted Publisher config)
• permissions: { id-token: write, contents: read } (mint the OIDC token; the top-level contents: write doesn't grant id-token)
• rust-lang/crates-io-auth-action@bbd8162 # v1.0.4 mints a 30-min token, passed to each cargo publish via CARGO_REGISTRY_TOKEN
• Removed the secrets.CARGO_REGISTRY_TOKEN env + the token-presence check

Setup state

• ✅ crates GitHub environment exists in the repo.
• ✅ togl-lib bootstrapped (manual 0.0.0 publish — crates.io TP requires the crate to exist before a Trusted Publisher can be configured; no pending-publisher flow like PyPI).
• ⚠️ Confirm a Trusted Publisher is configured for both togl-lib and togl on crates.io (repo smorin/toggle, workflow release.yml, environment crates). The workflow publishes both, so both need it.

Notes

• actionlint clean.
• First real publish fires on the next release tag (v0.6.0): the job publishes togl-lib then togl via OIDC.
• Gotcha: if you add deployment-branch protection to the crates environment, allow tags — this workflow is tag-triggered, and branch rules can block tag deployments.

Summary by CodeRabbit

• Chores
  • Enhanced security of the release publishing process through updated authentication mechanisms for crate publication.

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1087c8bc-36c9-45d5-b502-987da2cbad00

📥 Commits

Reviewing files that changed from the base of the PR and between 32740db and 23fac87.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• PROJECTS.md

---

📝 Walkthrough

Walkthrough

The PR migrates the release workflow from API-token-based crates.io authentication to OIDC Trusted Publishing. The publish-crates job now requests an OIDC token, authenticates via rust-lang/crates-io-auth-action, and passes the resulting registry token to publish steps. Documentation is updated to guide maintainers through the Trusted Publisher setup.

Changes

OIDC Trusted Publishing Setup

Layer / File(s)	Summary
Workflow OIDC authentication and publish .github/workflows/release.yml	Job configuration targets crates environment and requests id-token: write; new authentication step mints OIDC token via crates-io-auth-action; togl-lib and togl publish steps now use token from auth action output instead of environment secret.
Project release documentation PROJECTS.md	Maintainer setup instructions replaced: removes CARGO_REGISTRY_TOKEN secret requirement and adds Trusted Publisher configuration per crate with crates environment and smorin/toggle + release.yml repo/workflow pairing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 From secrets to trust with just a token's sleight,
We mint with OIDC, no vault in sight.
The rabbit hops forward, the crates.io gate swings wide,
OIDC Trusted Publishing—publish with pride! 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: switching CI publishing to crates.io via trusted publishing (OIDC) instead of stored API tokens.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the release workflow to publish the Rust crates to crates.io using Trusted Publishing (OIDC) instead of a long-lived CARGO_REGISTRY_TOKEN secret, aligning the CI release pipeline with crates.io’s recommended authentication model.

Changes:

• Switch publish-crates to run in the crates GitHub environment with id-token: write permissions for OIDC.
• Add rust-lang/crates-io-auth-action to mint a short-lived crates.io token and pass it to cargo publish via CARGO_REGISTRY_TOKEN.
• Update project documentation to reflect Trusted Publishing setup steps and remove API-token-secret guidance.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
PROJECTS.md	Updates the publishing project plan/manual steps to reflect crates.io Trusted Publishing (OIDC) and required per-crate Trusted Publisher setup.
.github/workflows/release.yml	Reworks the publish-crates job to authenticate via OIDC using crates-io-auth-action and removes dependency on a stored crates.io API token secret.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.