From 7e64872c9775a7d0514caa80ff6728e898ef41e4 Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Tue, 24 Mar 2026 13:07:42 +0100
Subject: [PATCH] Add trusted publishing

---
 .github/workflows/cd-test.yml | 18 ++++++++++++++++++
 .github/workflows/cd.yml      | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 .github/workflows/cd-test.yml
 create mode 100644 .github/workflows/cd.yml

diff --git a/.github/workflows/cd-test.yml b/.github/workflows/cd-test.yml
new file mode 100644
index 0000000..a005fb5
--- /dev/null
+++ b/.github/workflows/cd-test.yml
@@ -0,0 +1,18 @@
+name: Continuous delivery - test
+
+on:
+  pull_request:
+    # opened, reopenened, synchronize are the default types for pull_request
+    # labeled, unlabeled ensure this check is also run if a label is added or removed
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+
+jobs:
+  test-publish:
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check') }}
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - run: cargo publish --dry-run --package apdu-app
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-apdu-app') }}
+    - run: cargo publish --dry-run --package apdu-dispatch
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-publish-check-apdu-dispatch') }}
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
new file mode 100644
index 0000000..07636eb
--- /dev/null
+++ b/.github/workflows/cd.yml
@@ -0,0 +1,33 @@
+name: Continuous delivery - crates.io
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish-apdu-app:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'app-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package apdu-app
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+  publish-apdu-dispatch:
+    runs-on: ubuntu-latest
+    if: ${{ startsWith(github.event.release.tag_name, 'dispatch-') }}
+    environment: crates.io
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec  # v1.0.3
+      id: auth
+    - run: cargo publish --package apdu-dispatch
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}