From 0d2cc83ba29b43fbf368fd5d16fb61c3680c85cd Mon Sep 17 00:00:00 2001
From: Louis Pahlavi <louis.pahlavi@dfinity.org>
Date: Mon, 2 Feb 2026 11:23:58 +0100
Subject: [PATCH] ci: configure trusted publishing

---
 .github/workflows/publish.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9574350..da5ba21 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       pull-requests: write
       contents: write
+      id-token: write # Required for OIDC token exchange
     concurrency:
       group: publish
       cancel-in-progress: true
@@ -23,6 +24,10 @@ jobs:
       - name: "Install parse-changelog"
         uses: taiki-e/install-action@parse-changelog
 
+      - name: "Authenticate with crates.io"
+        id: auth
+        uses: rust-lang/crates-io-auth-action@v1
+
       - name: "Run release-plz"
         id: release-plz
         uses: release-plz/action@8724d33cd97b8295051102e2e19ca592962238f5 # v0.5.108
@@ -30,7 +35,7 @@ jobs:
           command: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
 
       - name: "Generate Github release body"
         env: