Use crates.io trusted publish (#303)

jsturtevant · web-flow · commit 6b1b5987c473 · 2025-12-12T21:00:15.000Z
* Use crates.io trusted publish

Signed-off-by: James Sturtevant &lt;jsturtevant@gmail.com&gt;

* Don't need token for dry run

Signed-off-by: James Sturtevant &lt;jsturtevant@gmail.com&gt;

---------

Signed-off-by: James Sturtevant &lt;jsturtevant@gmail.com&gt;
diff --git a/.github/workflows/CreateRelease.yml b/.github/workflows/CreateRelease.yml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write  # Required for crates.io trusted publishing
 
 jobs:
   
@@ -104,14 +105,16 @@ jobs:
       env:
         GH_TOKEN: ${{ github.token }}
       shell: bash
+    - name: Authenticate with crates.io
+      if: ${{ contains(github.ref, 'refs/heads/release/') }}
+      uses: rust-lang/crates-io-auth-action@v1
+      id: crates-io-auth
     - name: Publish dry-run
       if: ${{ contains(github.ref, 'refs/heads/release/') }}
       run: |
         set -euxo pipefail
         cargo publish -p hyperlight-wasm-aot --dry-run
         cargo publish -p hyperlight-wasm --dry-run
-      env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
       shell: bash
     - name: Publish to crates.io
       if: ${{ contains(github.ref, 'refs/heads/release/') }}
@@ -120,5 +123,5 @@ jobs:
         cargo publish -p hyperlight-wasm-aot
         cargo publish -p hyperlight-wasm
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
       shell: bash
