feat(ci): use OIDC Trusted Publishing for crates.io (#501)

joshrotenberg · web-flow · commit 6e44176a4fba · 2025-12-16T10:30:26.000-08:00
- Add id-token: write permission for OIDC token exchange
- Remove CARGO_REGISTRY_TOKEN requirement
- Trusted publishers configured on crates.io for all 4 workspace crates:
  redisctl, redis-cloud, redis-enterprise, redisctl-config
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -3,6 +3,7 @@ name: Release-plz
 permissions:
   pull-requests: write
   contents: write
+  id-token: write
 
 on:
   push:
@@ -31,4 +32,5 @@ jobs:
         uses: MarcoIeni/release-plz-action@v0.5
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          # Uses OIDC Trusted Publishing - no CARGO_REGISTRY_TOKEN needed
+          # Trusted publishers configured on crates.io for all workspace crates
