publish.yaml: switch to crates.io trusted publishing (OIDC)

[JasoonS]

Summary

Switches the crates.io publish workflow from a long-lived CARGO_REGISTRY_TOKEN secret to OIDC-based trusted publishing.

All four crates owned by JasoonS and published from this repo now have a trusted publisher configured on crates.io pointing at enviodev/hypersync-client-rust + .github/workflows/publish.yaml:

• hypersync-format
• hypersync-schema
• hypersync-net-types
• hypersync-client

Changes

• Add id-token: write to permissions: so GitHub Actions issues the OIDC token. contents: write is retained because this workflow still creates a git tag and a GitHub release.
• Insert a rust-lang/crates-io-auth-action@v1 step (id: auth) before the publish step.
• Source CARGO_REGISTRY_TOKEN for the publish step from ${{ steps.auth.outputs.token }} instead of ${{ secrets.CARGO_REGISTRY_TOKEN }}.
• Drop the unused VERBOSE: true env var.

Other parts of the workflow (version check, tag/release creation, the capnproto apt install needed by hypersync-net-types's build.rs) are preserved unchanged.

Follow-up

Once a publish run on this branch (or after merge) succeeds via OIDC, the CARGO_REGISTRY_TOKEN repo/org secret can be deleted; trusted publishing supersedes it.

No GitHub Actions environment is required by the trusted publisher config. One can be added later (set it both in the crates.io publisher settings and as environment: on this job) if reviewer-approved publishes become desired.

Test plan

• Manually dispatch the workflow for one crate (e.g. hypersync-format after a version bump) and confirm the OIDC auth step succeeds and the publish completes.
• Verify the crates.io UI shows the published version was via Trusted Publishing.
• Delete the CARGO_REGISTRY_TOKEN secret.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Updated crate publishing workflow authentication mechanism and adjusted workflow security permissions to enhance the security of the release process.

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow's crates publishing job was updated to authenticate with crates.io using rust-lang/crates-io-auth-action@v1 and obtain CARGO_REGISTRY_TOKEN from the action output. Workflow permissions were adjusted to add id-token: write to enable the auth action's token exchange flow.

Changes

Crates.io Authentication

Layer / File(s)	Summary
Workflow permissions and crates.io auth action integration .github/workflows/publish.yaml	Workflow permissions updated to include id-token: write for OpenID Connect token exchange, and crates publishing job now uses rust-lang/crates-io-auth-action@v1 to authenticate with crates.io, sourcing CARGO_REGISTRY_TOKEN from the action output instead of repository secrets.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: switching the publish workflow to use crates.io trusted publishing via OIDC instead of a long-lived token secret.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yaml:
- Line 68: Replace the mutable tag for the crates auth action with an immutable
commit SHA: find the uses: rust-lang/crates-io-auth-action@v1 entry and change
it to uses: rust-lang/crates-io-auth-action@<full-commit-sha> where
<full-commit-sha> is the exact 40-character commit hash from the action
repository (pick the desired release commit) so the workflow references a
pinned, immutable revision instead of the v1 tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f808f021-fca5-45c4-8b0b-a900e022a492

📥 Commits

Reviewing files that changed from the base of the PR and between b5b519e and db28340.

📒 Files selected for processing (1)

• .github/workflows/publish.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable action refs still exist in workflow files.
rg -nP '^\s*uses:\s*[^@\s]+@(v?\d+(\.\d+){0,2}|main|master)$' .github/workflows

Repository: enviodev/hypersync-client-rust

Length of output: 157

---

Pin the auth action to a full commit SHA.

Line 68 uses a mutable tag (rust-lang/crates-io-auth-action@v1). Pinning to an immutable commit SHA reduces supply-chain risk for the publish path.

Suggested hardening change

-      - name: Authenticate with crates.io
-        id: auth
-        uses: rust-lang/crates-io-auth-action@v1
+      - name: Authenticate with crates.io
+        id: auth
+        uses: rust-lang/crates-io-auth-action@<FULL_COMMIT_SHA>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yaml at line 68, Replace the mutable tag for the
crates auth action with an immutable commit SHA: find the uses:
rust-lang/crates-io-auth-action@v1 entry and change it to uses:
rust-lang/crates-io-auth-action@<full-commit-sha> where <full-commit-sha> is the
exact 40-character commit hash from the action repository (pick the desired
release commit) so the workflow references a pinned, immutable revision instead
of the v1 tag.