fix(ci): wire trusted publishing token into cargo publish

[dev-jodee]

Summary

• add crates.io trusted publisher auth step via rust-lang/crates-io-auth-action@v1
• pass the temporary token as CARGO_REGISTRY_TOKEN to both Rust publish steps
• keep existing branch guards/versioning/tag flow unchanged

Why

• previous run failed with no token found during cargo publish
• this wires OIDC exchange output into cargo exactly as crates.io docs expect

Test Plan

• workflow-only change, validated against failing run logs and crates.io trusted publishing docs
• re-run Publish Rust Crates from main after merge

---

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.9%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[greptile-apps]

Greptile Summary

This PR fixes a broken cargo publish workflow by wiring OIDC-based trusted publishing authentication into the Publish Rust Crates workflow. The approach — using rust-lang/crates-io-auth-action to exchange an OIDC token with crates.io and passing it as CARGO_REGISTRY_TOKEN — exactly matches the crates.io trusted publishing documentation.\n\nKey changes and observations:\n- A new auth step (gated on either publish flag being set) correctly precedes both cargo publish steps\n- The existing id-token: write permission at the job level was already present, so no permission changes are required\n- Token auto-revocation is handled by the action's post step after the job completes\n- The 30-second sleep between kora-lib and kora-cli publish is well within any token lifetime\n- The one minor concern is that rust-lang/crates-io-auth-action@v1 uses a mutable floating tag rather than a pinned commit SHA — while rust-lang is a verified creator, SHA-pinning is the standard hardening practice for actions that receive id-token: write permission

Confidence Score: 5/5

Safe to merge — the change is minimal, correct, and follows crates.io trusted publishing documentation exactly.

All findings are P2. The fix directly matches the official crates.io trusted publishing example. Conditional logic, token scoping, and permissions are all correct.

No files require special attention beyond the optional SHA-pinning suggestion on line 96.

Important Files Changed

Filename	Overview
.github/workflows/rust-publish.yml	Adds OIDC-based crates.io trusted publisher auth step and wires the resulting token into both cargo publish steps; logic and conditional guards are correct and match official crates.io trusted publishing docs exactly.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions Runner
    participant OIDC as GitHub OIDC Provider
    participant CI as crates.io Auth API
    participant CR as crates.io Registry

    GHA->>OIDC: Request OIDC token (id-token: write)
    OIDC-->>GHA: JWT token
    GHA->>CI: Exchange JWT (crates-io-auth-action@v1)
    CI-->>GHA: Temporary CARGO_REGISTRY_TOKEN
    GHA->>CR: cargo publish kora-lib (CARGO_REGISTRY_TOKEN)
    CR-->>GHA: Published ✅
    GHA->>GHA: sleep 30s (index propagation)
    GHA->>CR: cargo publish kora-cli (CARGO_REGISTRY_TOKEN)
    CR-->>GHA: Published ✅
    GHA->>CI: Revoke token (post step)

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): wire trusted publishing token i..." | Re-trigger Greptile}