chore: use trusted publishing for cargo releases

[jdx]

Summary

• grant id-token: write to the release-plz publish job
• remove the long-lived CARGO_REGISTRY_TOKEN from cargo publishing
• update the workflow comment to describe crates.io trusted publishing

Validation

• actionlint .github/workflows/release-plz.yml

Note: the crates.io trusted publisher must be configured for each existing workspace crate to trust endevco/aube and .github/workflows/release-plz.yml. New crates still need their first publish done manually before trusted publishing can take over.

This PR was generated by Codex.

---

Note

Medium Risk
Publishing now depends on per-crate crates.io trusted-publisher configuration; misconfiguration would block releases until fixed, though the change is limited to CI credentials.

Overview
The release-plz release job on main now publishes workspace crates to crates.io via OIDC trusted publishing instead of a long-lived registry secret.

It adds id-token: write on that job so GitHub Actions can mint the token crates.io expects, drops CARGO_REGISTRY_TOKEN from the release-plz step env, and updates the workflow comment to describe trusted publishing. GitHub release tagging and AUBE_GH_TOKEN usage are unchanged.

Each crate still needs a one-time crates.io trusted-publisher setup for this repo and workflow before publishes succeed without the old secret.

^{Reviewed by Cursor Bugbot for commit aeaa6a7. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Improved release process security by updating publishing workflow to use trusted publishing for crate uploads, eliminating manual token handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow is reconfigured to use crates.io trusted publishing instead of token-based authentication. The release-plz-release job gains id-token: write permission for OIDC token generation, the CARGO_REGISTRY_TOKEN environment variable is removed, and inline documentation is updated to reflect the new dependency-order publishing behavior.

Changes

Trusted Publishing Migration

Layer / File(s)	Summary
Trusted Publishing Setup .github/workflows/release-plz.yml	Documentation, job permissions, and environment configuration are aligned to enable crates.io trusted publishing: inline comment updated to describe the new publishing method, id-token permission added to the job, and CARGO_REGISTRY_TOKEN variable removed from the action step.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Poem

🐰 The tokens flee, the OIDC flows so free,
With id-tokens trusted, no secrets left to see,
One workflow hops to safety's door,
Trusted publishing forevermore! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: use trusted publishing for cargo releases' accurately describes the main change: updating the workflow to use trusted publishing instead of long-lived tokens for crates.io uploads.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/cargo-trusted-publishing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR migrates cargo publishing from a long-lived CARGO_REGISTRY_TOKEN repository secret to crates.io OIDC trusted publishing. The only changes are adding id-token: write to the release-plz-release job's permissions and removing CARGO_REGISTRY_TOKEN from the step environment.

• release-plz natively implements the OIDC token exchange when id-token: write is present, so no additional action or env var is needed — this matches the official release-plz trusted publishing docs exactly.
• The permission is scoped to only the release-plz-release job, keeping the blast radius minimal; the workflow-level default remains contents: read.
• As noted in the PR description, each existing workspace crate must still have the crates.io trusted publisher configured to point at endevco/aube / .github/workflows/release-plz.yml, and new crates require a manual first publish — these are crates.io platform constraints, not workflow issues.

Confidence Score: 5/5

Safe to merge — the change is minimal, well-scoped, and follows the release-plz trusted publishing guide precisely.

A two-line workflow change: one permission added, one secret env var removed. release-plz's own documentation describes this exact pattern as the correct way to enable crates.io OIDC trusted publishing, and the permission is narrowly scoped to the single job that needs it. The only prerequisite (configuring the trusted publisher on crates.io for each existing crate) is an out-of-band operational step that has no bearing on the correctness of the workflow itself.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release-plz.yml	Switches cargo publishing from a long-lived CARGO_REGISTRY_TOKEN secret to crates.io OIDC trusted publishing by adding id-token: write to the release-plz-release job and removing the secret env var; follows release-plz's documented approach exactly.

_{Reviews (1): Last reviewed commit: "chore: use trusted publishing for cargo ..." | Re-trigger Greptile}