ci(publish): switch cargo publishing to trusted OIDC auth (#403)

dev-jodee · greptile-apps[bot] · web-flow · commit bc96e859fc03 · 2026-03-27T13:09:19.000-04:00
* ci(publish): switch cargo publishing to trusted OIDC auth

Replace long-lived KORA_CLI_REGISTRY_TOKEN API token with crates.io
trusted publishing via GitHub Actions OIDC identity tokens.

Adds id-token: write permission and removes CARGO_REGISTRY_TOKEN env
vars from both publish steps. The operator must add a trusted publisher
entry on crates.io for kora-lib and kora-cli pointing to this workflow
before the next publish run.

* Update .github/workflows/rust-publish.yml

Co-authored-by: greptile-apps[bot] &lt;165735046+greptile-apps[bot]@users.noreply.github.com&gt;

* fix(ci): remove duplicate jobs key and scope id-token permission

The Greptile suggestion was applied incorrectly, inserting a duplicate
top-level jobs: key. YAML last-key-wins semantics caused the id-token:
write permission block to be silently discarded, leaving cargo publish
with no auth mechanism.

Fix: remove the duplicate jobs/publish block and add the permissions
block directly under the single publish job. Also update CLAUDE.md to
remove the stale KORA_CLI_REGISTRY_TOKEN secret reference.

---------

Co-authored-by: Jo D &lt;dev-jodee@users.noreply.github.com&gt;
Co-authored-by: greptile-apps[bot] &lt;165735046+greptile-apps[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/rust-publish.yml b/.github/workflows/rust-publish.yml
@@ -30,6 +30,9 @@ jobs:
   publish:
     name: Publish Kora crates to crates.io
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Guard main branch for release publish
         run: |
@@ -89,8 +92,6 @@ jobs:
         run: |
           echo "📦 Publishing kora-lib@${{ steps.version.outputs.version }} to crates.io..."
           cargo publish -p kora-lib --locked
-        env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.KORA_CLI_REGISTRY_TOKEN }}
 
       - name: Wait for kora-lib to be available on crates.io
         if: ${{ github.event.inputs.publish-kora-lib == 'true' }}
@@ -103,8 +104,6 @@ jobs:
         run: |
           echo "📦 Publishing kora-cli@${{ steps.version.outputs.version }} to crates.io..."
           cargo publish -p kora-cli --locked
-        env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.KORA_CLI_REGISTRY_TOKEN }}
 
       - name: Create GitHub Release
         if: ${{ github.event.inputs.create-github-release == 'true' }}
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -278,7 +278,7 @@ Kora uses synchronized versioning where all workspace crates share the same vers
 - Both crates published together in dependency order
 
 **GitHub Secrets Required:**
-- `KORA_CLI_REGISTRY_TOKEN` - crates.io API token for publishing
+- None — publishing uses crates.io trusted publishing via GitHub Actions OIDC (no API token needed)
 
 ### Claude Skill: Full Release Automation
 
