feat: add crates.io trusted publishing support via OIDC

[starfy84]

Summary

• Adds optional OIDC-based trusted publishing support to both composite actions
• When no cargo-registry-token is provided, uses rust-lang/crates-io-auth-action@v1 to obtain a short-lived OIDC token from crates.io
• Fully backwards-compatible: existing users who pass a cargo-registry-token are completely unaffected (the OIDC step is skipped via if condition)

How it works

In both semantic-release-binary/action.yml and semantic-release-library/action.yml, a new conditional step is added before the semantic-release step:

- name: Authenticate with crates.io (Trusted Publishing)
  if: inputs.cargo-registry-token == ''
  id: crates-io-auth
  uses: rust-lang/crates-io-auth-action@v1

- run: |
    : semantic-release
    ${semantic_release}
  env:
    GITHUB_TOKEN: ${{ inputs.github_token }}
    CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token || inputs.cargo-registry-token }}

• If cargo-registry-token is provided: OIDC step is skipped, token falls through to inputs.cargo-registry-token
• If cargo-registry-token is empty: OIDC step runs, obtains a short-lived token, that token is used

Callers need id-token: write permission and must configure their crates on crates.io with a trusted publisher.

Verified

This has been tested in production on starfy84/git-seek using a fork of this action, successfully publishing two crates via trusted publishing:

• https://github.com/starfy84/git-seek/actions/runs/22267240586

[EricCrosson]

Thanks @starfy84 !

[github-actions]

🎉 This PR is included in version 5.3.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀