fix: use oidc-token output for cargo publish auth

.github/workflows/publish.yml

@@ -1,7 +1,8 @@
 # Security notes:
-# - GitHub-owned actions (actions/checkout) use tag pins
-# - Third-party actions (jfrog/setup-jfrog-cli) are pinned to full commit SHAs
-# - Rust toolchain comes from the runner's pre-installed rustup
+# - GitHub-owned actions use tag pins, third-party actions use SHA pins
+# - Only two external actions: actions/checkout (GitHub-owned) and
+#   jfrog/setup-jfrog-cli (allowlisted, handles OIDC auth)
+# - Rust toolchain uses the runner's pre-installed rustup
 # - The publish environment requires the anthropic-1.49.0 branch
 name: Publish to Artifactory
 
@@ -27,90 +28,48 @@ jobs:
           rustup show
 
       - name: Setup JFrog CLI
+        id: setup-jfrog
         uses: jfrog/setup-jfrog-cli@ff5cb544114ffc152db9cea1cd3d5978d5074946  # v4.5.11
         env:
           JF_URL: https://artifactory.infra.ant.dev
         with:
           oidc-provider-name: github
           oidc-audience: jfrog-github
 
-      - name: Configure Cargo
+      - name: Configure Cargo Registry
         run: |
-          ARTIFACTORY_TOKEN=$(jf config show | grep "Access Token" | awk '{print $3}')
-
-          # Store token for later steps
-          echo "ARTIFACTORY_TOKEN=${ARTIFACTORY_TOKEN}" >> $GITHUB_ENV
-
-          # Configure registry (no credential-provider -- we'll handle auth explicitly)
           mkdir -p ~/.cargo
           cat >> ~/.cargo/config.toml << 'EOF'
           [registries.crates-internal]
           index = "sparse+https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/"
+          credential-provider = ["cargo:token"]
           EOF
 
-      - name: Debug - Verify Artifactory Access
+      - name: Debug - Verify Access
+        env:
+          CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN: "Bearer ${{ steps.setup-jfrog.outputs.oidc-token }}"
         run: |
-          echo "=== JFrog CLI Config ==="
-          jf config show | grep -v "Token" || true
+          echo "=== Token check ==="
+          echo "Token length: ${#CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN}"
+          echo "Token starts with Bearer: $(echo "$CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN" | grep -c '^Bearer ')"
 
           echo ""
-          echo "=== Token format check ==="
-          # Show first 20 chars of token (safe to log partial token for format debugging)
-          TOKEN_PREFIX=$(echo "Bearer ${ARTIFACTORY_TOKEN}" | head -c 20)
-          echo "Token starts with: ${TOKEN_PREFIX}..."
-          echo "Token length: ${#ARTIFACTORY_TOKEN} (without Bearer prefix)"
+          echo "=== JFrog CLI ping ==="
+          jf rt ping
 
           echo ""
           echo "=== Cargo config ==="
-          cat ~/.cargo/config.toml || true
-
-          echo ""
-          echo "=== Cargo credentials ==="
-          cat ~/.cargo/credentials.toml 2>/dev/null || echo "(no credentials.toml)"
+          cat ~/.cargo/config.toml
 
           echo ""
-          echo "=== Test: curl sparse index for tokio (with auth, should succeed) ==="
-          curl -sv -H "Authorization: Bearer ${ARTIFACTORY_TOKEN}" \
+          echo "=== curl test (with auth) ==="
+          curl -sI -H "Authorization: ${CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN}" \
             "https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/to/ki/tokio" \
-            2>&1 | grep -E "< HTTP|< WWW-Auth|Authorization:|{" || true
-
-          echo ""
-          echo "=== Test: curl sparse index for tokio (no auth, expect 401) ==="
-          curl -sv \
-            "https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/to/ki/tokio" \
-            2>&1 | grep -E "< HTTP|< WWW-Auth|{" || true
-
-          echo ""
-          echo "=== Test: JFrog CLI check permissions ==="
-          jf rt curl -XGET "/api/cargo/crates-internal/index/to/ki/tokio" 2>&1 | head -10 || true
-
-          echo ""
-          echo "=== Cargo registry list ==="
-          cargo config get registries 2>/dev/null || true
-
-          echo ""
-          echo "=== ARTIFACTORY_TOKEN env var (redacted) ==="
-          echo "ARTIFACTORY_TOKEN is set: $([ -n \"${ARTIFACTORY_TOKEN}\" ] && echo yes || echo no)"
+            2>&1 | grep -E "HTTP|WWW-Auth" || true
 
       - name: Publish tokio to Artifactory
+        env:
+          CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN: "Bearer ${{ steps.setup-jfrog.outputs.oidc-token }}"
         run: |
           cd tokio
-
-          echo "=== Attempt 1: env var auth ==="
-          export CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN="Bearer ${ARTIFACTORY_TOKEN}"
-          if cargo publish --registry crates-internal --allow-dirty 2>&1; then
-            echo "SUCCESS: env var auth worked"
-            exit 0
-          fi
-          echo "FAILED: env var auth did not work"
-          unset CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN
-
-          echo ""
-          echo "=== Attempt 2: cargo login auth ==="
-          cargo login --registry crates-internal <<< "Bearer ${ARTIFACTORY_TOKEN}"
-          if cargo publish --registry crates-internal --allow-dirty 2>&1; then
-            echo "SUCCESS: cargo login auth worked"
-            exit 0
-          fi
-          echo "FAILED: cargo login auth did not work either"
-          exit 1
+          cargo publish --registry crates-internal --allow-dirty