From 38356fda8c1a0c0730ee2d98d63445671a3df6fe Mon Sep 17 00:00:00 2001
From: Mike Foster <i.am.mike.foster@gmail.com>
Date: Tue, 2 Jun 2026 10:00:47 +0000
Subject: [PATCH] oidc publishing

---
 .github/workflows/rust-publish.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/rust-publish.yml b/.github/workflows/rust-publish.yml
index f9c6847..0f4ff10 100644
--- a/.github/workflows/rust-publish.yml
+++ b/.github/workflows/rust-publish.yml
@@ -2,8 +2,8 @@ name: Deploy Rust
 concurrency: Crates.io
 
 on:
-  push: 
-    tags: "v*"
+  release:
+    types: [published]
 
 env:
   CARGO_TERM_COLOR: always
@@ -15,17 +15,26 @@ jobs:
       issues: write
     uses: ./.github/workflows/rust-stability.yml
 
-  publish:
+  publish_lib:
+    needs:
+      - quality-check
+    if: ${{ !(failure() || cancelled()) }}
     environment: crates.io
-    needs: quality-check
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        ref: ${{ github.event.release.target_commitish }}
+    # Install manually as different crates may have custom toolchains defined
+    - name: install rust
+      run: rustup set profile default && rustup install
+    # Use OIDC for updating existing crates
     - uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe #v1.0.4
       id: auth
     - name: Publish
       env:
-        # CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
         CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
       run:
         cargo publish