chore(ci): add permission to github token to release crates

When using crates.io trusted publishing feature GitHub token `id-token: write` permission to be able to authenticate the workflow on the registry.
2026-01-09 14:47:56 -05:00 · 2025-08-20 17:30:44 +02:00
parent 01c0e0c038
commit ce70770347
8 changed files with 22 additions and 1 deletions
--- a/.github/workflows/make_release.yml
+++ b/.github/workflows/make_release.yml
@@ -87,7 +87,7 @@ jobs:
    # For provenance of npmjs publish
    permissions:
      contents: read
-      id-token: write
+      id-token: write # also needed for OIDC token exchange on crates.io
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_cuda.yml
+++ b/.github/workflows/make_release_cuda.yml
@@ -122,6 +122,9 @@ jobs:
    name: Publish CUDA Release
    needs: [setup-instance, package] # for comparing hashes
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    strategy:
      fail-fast: false
      # explicit include-based build matrix, of known valid options
--- a/.github/workflows/make_release_hpu.yml
+++ b/.github/workflows/make_release_hpu.yml
@@ -66,6 +66,9 @@ jobs:
    name: Publish tfhe-hpu-backend Release
    runs-on: ubuntu-latest
    needs: [verify_tag, package] # for comparing hashes
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_tfhe_csprng.yml
+++ b/.github/workflows/make_release_tfhe_csprng.yml
@@ -67,6 +67,9 @@ jobs:
    name: Publish tfhe-csprng Release
    needs: [verify_tag, package]
    runs-on: ubuntu-latest
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_tfhe_fft.yml
+++ b/.github/workflows/make_release_tfhe_fft.yml
@@ -67,6 +67,9 @@ jobs:
    name: Publish tfhe-fft Release
    runs-on: ubuntu-latest
    needs: [verify_tag, package] # for comparing hashes
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_tfhe_ntt.yml
+++ b/.github/workflows/make_release_tfhe_ntt.yml
@@ -67,6 +67,9 @@ jobs:
    name: Publish tfhe-ntt Release
    runs-on: ubuntu-latest
    needs: [verify_tag, package] # for comparing hashes
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_tfhe_versionable.yml
+++ b/.github/workflows/make_release_tfhe_versionable.yml
@@ -60,6 +60,9 @@ jobs:
    name: Publish tfhe-versionable-derive Release
    needs: [ verify_tag, package-derive ] # for comparing hashes
    runs-on: ubuntu-latest
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/make_release_zk_pok.yml
+++ b/.github/workflows/make_release_zk_pok.yml
@@ -64,6 +64,9 @@ jobs:
    name: Publish tfhe-zk-pok Release
    needs: [verify_tag, package] # for comparing hashes
    runs-on: ubuntu-latest
+    permissions:
+      # Needed for OIDC token exchange on crates.io
+      id-token: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2