From 29b716d60a361d8329db84b8053b55ead2a61bc2 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 11 Feb 2026 22:20:59 +0000
Subject: [PATCH] ci: Add trusted-publishing workflow for crates.io releases

Synchronize the trusted-publishing workflow from:
https://github.com/bootc-dev/containers-image-proxy-rs

This enables automated publishing to crates.io when version tags (v*) are pushed,
using OIDC-based authentication via rust-lang/crates-io-auth-action.

Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
---
 .github/workflows/cratesio-release.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .github/workflows/cratesio-release.yml

diff --git a/.github/workflows/cratesio-release.yml b/.github/workflows/cratesio-release.yml
new file mode 100644
index 0000000..96568fc
--- /dev/null
+++ b/.github/workflows/cratesio-release.yml
@@ -0,0 +1,17 @@
+# See https://crates.io/docs/trusted-publishing
+name: Publish to crates.io
+on:
+  push:
+    tags: ['v*']  # Triggers when pushing tags starting with 'v'
+jobs:
+  publish:
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write     # Required for OIDC token exchange
+    steps:
+    - uses: actions/checkout@v6
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
+    - run: cargo publish
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}