feat: use trusted publishing (#22)

wolfv · web-flow · commit f5be11f853b3 · 2025-12-17T10:28:14.000+01:00
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -10,6 +10,7 @@ jobs:
   release-plz-release:
     name: Release-plz release
     runs-on: ubuntu-latest
+    environment: crates-io
     # Prevent multiple releases from running at the same time
     concurrency:
       group: release-plz-release
@@ -37,7 +38,8 @@ jobs:
           command: release
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          # Uses trusted publishing via OIDC (id-token: write permission)
+          # No CARGO_REGISTRY_TOKEN needed
 
   # Create a PR with the new versions and changelog, preparing the next release.
   release-plz-pr:
@@ -64,4 +66,3 @@ jobs:
           command: release-pr
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
