publish.yaml: switch to crates.io trusted publishing (OIDC)

[JasoonS]

Summary

Switches the crates.io publish workflow from a long-lived CARGO_REGISTRY_TOKEN secret to OIDC-based trusted publishing.

All four crates owned by JasoonS and published from this repo now have a trusted publisher configured on crates.io pointing at enviodev/hypersync-client-rust + .github/workflows/publish.yaml:

• hypersync-format
• hypersync-schema
• hypersync-net-types
• hypersync-client

Changes

• Add id-token: write to permissions: so GitHub Actions issues the OIDC token. contents: write is retained because this workflow still creates a git tag and a GitHub release.
• Insert a rust-lang/crates-io-auth-action@v1 step (id: auth) before the publish step.
• Source CARGO_REGISTRY_TOKEN for the publish step from ${{ steps.auth.outputs.token }} instead of ${{ secrets.CARGO_REGISTRY_TOKEN }}.
• Drop the unused VERBOSE: true env var.

Other parts of the workflow (version check, tag/release creation, the capnproto apt install needed by hypersync-net-types's build.rs) are preserved unchanged.

Follow-up

Once a publish run on this branch (or after merge) succeeds via OIDC, the CARGO_REGISTRY_TOKEN repo/org secret can be deleted; trusted publishing supersedes it.

No GitHub Actions environment is required by the trusted publisher config. One can be added later (set it both in the crates.io publisher settings and as environment: on this job) if reviewer-approved publishes become desired.

Test plan

• Manually dispatch the workflow for one crate (e.g. hypersync-format after a version bump) and confirm the OIDC auth step succeeds and the publish completes.
• Verify the crates.io UI shows the published version was via Trusted Publishing.
• Delete the CARGO_REGISTRY_TOKEN secret.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Summary by CodeRabbit

• Chores
  • Updated the crate publishing workflow to use a more secure authentication flow for obtaining the registry token during releases.
  • Adjusted workflow permissions to enable the new auth exchange, improving release robustness and security while streamlining token handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f445457-7cea-4407-94f0-119b8fd27ff2

📥 Commits

Reviewing files that changed from the base of the PR and between db28340 and edb1410.

📒 Files selected for processing (1)

• .github/workflows/publish.yaml

---

📝 Walkthrough

Walkthrough

The workflow's crates publishing job now authenticates with crates.io via rust-lang/crates-io-auth-action@v1, sourcing CARGO_REGISTRY_TOKEN from the action output. Workflow-level permissions were updated to add id-token: write alongside contents: write.

Changes

Crates.io Authentication

Layer / File(s)	Summary
Workflow permissions and crates.io auth action integration .github/workflows/publish.yaml	Workflow permissions updated to include id-token: write for OIDC token exchange, and the crates publishing job now uses rust-lang/crates-io-auth-action@v1, setting CARGO_REGISTRY_TOKEN from steps.auth.outputs.token instead of a repository secret.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: switching from long-lived secrets to OIDC-based Trusted Publishing for crates.io, which is the core objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yaml:
- Line 68: Replace the mutable tag for the crates auth action with an immutable
commit SHA: find the uses: rust-lang/crates-io-auth-action@v1 entry and change
it to uses: rust-lang/crates-io-auth-action@<full-commit-sha> where
<full-commit-sha> is the exact 40-character commit hash from the action
repository (pick the desired release commit) so the workflow references a
pinned, immutable revision instead of the v1 tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f808f021-fca5-45c4-8b0b-a900e022a492

📥 Commits

Reviewing files that changed from the base of the PR and between b5b519e and db28340.

📒 Files selected for processing (1)

• .github/workflows/publish.yaml