From f4c3640a61c8f899b834de38f1637554e9d09c0b Mon Sep 17 00:00:00 2001
From: Alex Crichton <alex@alexcrichton.com>
Date: Wed, 2 Jul 2025 16:18:53 -0700
Subject: [PATCH] Try out trusted publishing for crates.io

---
 .github/workflows/publish.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 124390e..c2ca7e9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,10 +9,12 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   create_tag:
     name: Publish artifacts of build
+    environment: release
     runs-on: ubuntu-latest
     if: |
       github.repository_owner == 'bytecodealliance'
@@ -79,10 +81,15 @@ jobs:
         files: "dist/*"
         tag_name: v${{ steps.tag.outputs.version }}
 
+
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
+      if: steps.tag.outputs.push_tag == 'yes'
+
     - run: |
         rm -rf dist main.log
         rustc ci/publish.rs
         ./publish publish
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
       if: steps.tag.outputs.push_tag == 'yes'