From f508a8ac579e019562c64fbfb6284ab41d9c5522 Mon Sep 17 00:00:00 2001
From: Denis Cornehl <denis@cornehl.org>
Date: Mon, 1 Jun 2026 06:10:48 +0200
Subject: [PATCH] set up trusted publishing

---
 .github/workflows/release.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1f9ab41..07b4aa7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,10 +6,13 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write  # Required for OIDC token exchange
     steps:
-      - uses: actions/checkout@v4
-      - name: Publish to crates.io
-        run: |
-          cargo publish
+      - uses: actions/checkout@v6
+      - uses: rust-lang/crates-io-auth-action@v1
+        id: auth
+      - run: cargo publish
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}