From 5c49d5fde9a9d5cd7b4ec80a6550c6e269d8ab85 Mon Sep 17 00:00:00 2001
From: Niklas Dusenlund <niklas.dusenlund@bitbox.swiss>
Date: Mon, 9 Jun 2025 12:40:33 +0200
Subject: [PATCH] ci: Publish using a custom jobs instead of triggers

Github triggers can only be constrained by branches and not tags. Since
we don't want the publish job to run on pull_requests, we use `dist`s
custom `publish-jobs` instead.
---
 .github/workflows/publish.yml | 13 ++++++++-----
 .github/workflows/release.yml | 17 ++++++++++++++++-
 dist-workspace.toml           |  2 ++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d8602f9ad9..c6a1f264d4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,11 +1,14 @@
 # This is triggered after the Release workflow successfully completes its run
 name: Publish on crates.io
 on:
-  workflow_run:
-    workflows:
-      - Release
-    types:
-      - completed
+  workflow_call:
+    # dist exposes the plan from the plan step, as a JSON string,
+    # to your job if it needs it
+    inputs:
+      plan:
+        required: true
+        type: string
+
 env:
   CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
 jobs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6620b80c98..d0b647ca58 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -274,14 +274,29 @@ jobs:
 
           gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/*
 
+  custom-publish:
+    needs:
+      - plan
+      - host
+    if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
+    uses: ./.github/workflows/publish.yml
+    with:
+      plan: ${{ needs.plan.outputs.val }}
+    secrets: inherit
+    # publish jobs get escalated permissions
+    permissions:
+      "id-token": "write"
+      "packages": "write"
+
   announce:
     needs:
       - plan
       - host
+      - custom-publish
     # use "always() && ..." to allow us to wait for all publish jobs while
     # still allowing individual publish jobs to skip themselves (for prereleases).
     # "host" however must run to completion, no skipping allowed!
-    if: ${{ always() && needs.host.result == 'success' }}
+    if: ${{ always() && needs.host.result == 'success' && (needs.custom-publish.result == 'skipped' || needs.custom-publish.result == 'success') }}
     runs-on: "ubuntu-22.04"
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/dist-workspace.toml b/dist-workspace.toml
index 7a7609b05c..e4b32568bf 100644
--- a/dist-workspace.toml
+++ b/dist-workspace.toml
@@ -19,6 +19,8 @@ pr-run-mode = "plan"
 install-updater = false
 # Path that installers should place binaries in
 install-path = "CARGO_HOME"
+# Publish jobs to run in CI
+publish-jobs = ["./publish"]
 
 [dist.github-custom-runners]
 global = "ubuntu-22.04"