From ed9fd8ba7511cd8bbabac5d219fb3cf19e8819f4 Mon Sep 17 00:00:00 2001
From: Marek 'seqre' Grzelak <git@seqre.dev>
Date: Mon, 26 Jan 2026 18:52:33 +0100
Subject: [PATCH] ci: use crates.io trusted publishing

---
 .../{release-plz.yml => release-plz-pr.yml}   | 30 ++--------------
 .github/workflows/release-plz-release.yml     | 35 +++++++++++++++++++
 2 files changed, 37 insertions(+), 28 deletions(-)
 rename .github/workflows/{release-plz.yml => release-plz-pr.yml} (50%)
 create mode 100644 .github/workflows/release-plz-release.yml

diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz-pr.yml
similarity index 50%
rename from .github/workflows/release-plz.yml
rename to .github/workflows/release-plz-pr.yml
index 1aa17ddf..7b06e0d2 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz-pr.yml
@@ -1,4 +1,4 @@
-name: Release-plz
+name: Release-plz PR
 
 on:
   push:
@@ -6,33 +6,8 @@ on:
       - master
 
 jobs:
-  release-plz-release:
-    name: Release-plz release
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Generate GitHub token
-        uses: actions/create-github-app-token@v2
-        id: generate-token
-        with:
-          app-id: ${{ secrets.COTBOT_APP_ID }}
-          private-key: ${{ secrets.COTBOT_PRIVATE_KEY }}
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-      - name: Run release-plz
-        uses: release-plz/action@v0.5
-        with:
-          command: release
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
-
   release-plz-pr:
+    if: ${{ github.repository_owner == 'cot-rs' }}
     name: Release-plz PR
     runs-on: ubuntu-latest
     permissions:
@@ -60,4 +35,3 @@ jobs:
           command: release-pr
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
diff --git a/.github/workflows/release-plz-release.yml b/.github/workflows/release-plz-release.yml
new file mode 100644
index 00000000..0939702d
--- /dev/null
+++ b/.github/workflows/release-plz-release.yml
@@ -0,0 +1,35 @@
+name: Release-plz release
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release-plz-release:
+    if: ${{ github.repository_owner == 'cot-rs' }}
+    name: Release-plz release
+    runs-on: ubuntu-latest
+    environment: "crates.io release"
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Generate GitHub token
+        uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.COTBOT_APP_ID }}
+          private-key: ${{ secrets.COTBOT_PRIVATE_KEY }}
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+      - name: Run release-plz
+        uses: release-plz/action@v0.5
+        with:
+          command: release
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}