From 26ed9be22ba323d18696bfc8c3c6c6eaa9e867bf Mon Sep 17 00:00:00 2001
From: Linwei Shang <linwei.shang@dfinity.org>
Date: Mon, 30 Mar 2026 09:32:42 -0400
Subject: [PATCH] ci: add publish workflow for crates.io trusted publishing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 65 +++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 000000000..1622877e6
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,65 @@
+name: Publish crates to crates.io
+
+on:
+  workflow_dispatch:
+    inputs:
+      ic_principal:
+        description: "Publish ic_principal"
+        type: boolean
+        default: false
+      candid:
+        description: "Publish candid and candid_derive"
+        type: boolean
+        default: false
+      candid_parser:
+        description: "Publish candid_parser"
+        type: boolean
+        default: false
+
+jobs:
+  publish:
+    name: Publish selected crates
+    runs-on: ubuntu-24.04
+    if: >-
+      inputs.ic_principal || inputs.candid || inputs.candid_parser
+
+    permissions:
+      contents: read
+      id-token: write # Required for trusted publishing via OIDC
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: false
+
+      - name: Authenticate with crates.io
+        id: auth
+        uses: rust-lang/crates-io-auth-action@v1
+
+      # Crates are ordered by dependency: publish dependencies before dependents.
+      # ic_principal has no workspace deps.
+      # candid_derive has no workspace deps.
+      # candid depends on ic_principal, candid_derive.
+      # candid_parser depends on candid.
+
+      - name: Publish ic_principal
+        if: inputs.ic_principal
+        run: cargo publish -p ic_principal
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+
+      - name: Publish candid and candid_derive
+        if: inputs.candid
+        run: cargo publish -p candid_derive && cargo publish -p candid
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+
+      - name: Publish candid_parser
+        if: inputs.candid_parser
+        run: cargo publish -p candid_parser
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}