ci: use trusted publishing

Author: galargh

.github/workflows/release.yml

@@ -20,12 +20,14 @@ defaults:
 jobs:
   release:
     runs-on: ubuntu-latest
-    # The permissions should allow the user to:
-    # 1. Push to the branch of the repository that triggered the workflow.
-    # 2. Create a tag.
-    # 3. Push to crates.io.
     permissions:
+      # The contents write should allow:
+      # 1. Push to the branch of the repository that triggered the workflow.
+      # 2. Create a tag.
+      # 3. Push to crates.io.
       contents: write
+      # The id-token write should allow the OIDC token exchange
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Install required packages
@@ -34,9 +36,11 @@ jobs:
         run: cargo install --version 0.25.17 cargo-release
       - name: Set git user
         run: |
-          git config --global user.email "${GITHUB_TRIGGERING_ACTOR}@users.noreply.github.com>"
+          git config --global user.email "${GITHUB_TRIGGERING_ACTOR}@users.noreply.github.com"
           git config --global user.name "${GITHUB_TRIGGERING_ACTOR}"
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
       - name: Run cargo release
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
         run: cargo release ${{ github.event.inputs.level }} --no-confirm --execute