fix: trusted publishing authentication (#30)

Signed-off-by: Wolf Vollprecht <[email protected]>

Author: wolfv

.github/workflows/interop.yml

@@ -14,6 +14,9 @@ jobs:
   interop:
     name: Interoperability Tests
     runs-on: ubuntu-latest
+    # Only run on push, workflow_dispatch, or PRs from the same repo (not forks)
+    # Fork PRs don't have access to OIDC tokens needed for signing
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     permissions:
       id-token: write  # Required for OIDC token
       contents: read

.github/workflows/release-plz.yml

@@ -15,6 +15,7 @@ jobs:
     concurrency:
       group: release-plz-release
       cancel-in-progress: false
+
     # Permissions needed for:
     # - contents: write - create GitHub releases
     # - pull-requests: write - update PRs
@@ -23,12 +24,16 @@ jobs:
       contents: write
       pull-requests: write
       id-token: write
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+
       - name: Install Rust toolchain
         uses: dtolnay/[email protected]
 
@@ -38,8 +43,7 @@ jobs:
           command: release
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
-          # Uses trusted publishing via OIDC (id-token: write permission)
-          # No CARGO_REGISTRY_TOKEN needed
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
 
   # Create a PR with the new versions and changelog, preparing the next release.
   release-plz-pr: