fix(ci): pin crates.io auth action to valid commit

[dev-jodee]

Summary

• replace invalid crates-io-auth-action SHA with a valid pinned commit for v1.0.4
• keep the trusted publishing token wiring unchanged

Why

• publish rerun failed in setup with:
  • Unable to resolve action rust-lang/crates-io-auth-action@2d789f...
• this unblocks workflow startup so trusted publishing can execute

Test Plan

• rerun Publish Rust Crates from main after merge
• verify publish steps run instead of failing in setup

---

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.9%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[greptile-apps]

Greptile Summary

This PR fixes a broken CI workflow by replacing an invalid pinned commit SHA for the rust-lang/crates-io-auth-action with the correct SHA for v1.0.4, unblocking the Publish Rust Crates workflow.

• Updates rust-lang/crates-io-auth-action SHA from the invalid 2d789f72ce8ec8eee70e84c7f0a1b68cd52b6e8e (labelled v1.0.3) to bbd81622f20ce9e2dd9622e3218b975523e45bbe (v1.0.4)
• The new SHA is confirmed valid: the GitHub releases page for rust-lang/crates-io-auth-action shows bbd8162 as the tagged commit for v1.0.4 (released March 23, 2026, signed with GitHub's verified signature)
• No other workflow logic, permissions, or token wiring is changed

Confidence Score: 5/5

Safe to merge — minimal, verified fix to a broken workflow step.

The change is a single-line SHA pin update with no logic changes. The replacement SHA bbd81622f20ce9e2dd9622e3218b975523e45bbe is confirmed to be the v1.0.4 release commit for rust-lang/crates-io-auth-action per the upstream GitHub releases page. No P0 or P1 issues were identified.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/rust-publish.yml	Single-line change: updates crates-io-auth-action pinned SHA to the verified v1.0.4 commit. No logic or security changes.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Auth as rust-lang/crates-io-auth-action@v1.0.4
    participant Crates as crates.io

    GH->>Auth: OIDC token exchange (id-token: write)
    Auth-->>GH: CARGO_REGISTRY_TOKEN
    GH->>Crates: cargo publish -p kora-lib --locked
    GH->>Crates: cargo publish -p kora-cli --locked
    Crates-->>GH: publish confirmation

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): pin crates.io auth action to va..." | Re-trigger Greptile}