Improve publishing security

[reneleonhardt]

trafficstars

Instead of personal publishing, crates should be uploaded with Trusted Publishing: https://crates.io/docs/trusted-publishing https://crates.io/crates/sudo-rs/versions

Security Benefits

• No long-lived API tokens to manage or rotate
• Tokens automatically expire after 30 minutes
• Repository and workflow verification prevents unauthorized publishing
• OIDC-based cryptographic verification with GitHub's public JWKS
• Optional GitHub Actions environments for additional access controls

name: Publish to crates.io
on:
  push:
    tags: ['v*']  # Triggers when pushing tags starting with 'v'
jobs:
  publish:
    runs-on: ubuntu-latest
    environment: release  # Optional: for enhanced security
    permissions:
      id-token: write     # Required for OIDC token exchange
    steps:
    - uses: actions/checkout@v5
    - uses: rust-lang/crates-io-auth-action@v1
      id: auth
    - run: cargo publish
      env:
        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}