From 30bc5e8bf1b99bdf907c2a580a9d1f0066e84d8a Mon Sep 17 00:00:00 2001
From: Leon Riesebos <28567817+lriesebos@users.noreply.github.com>
Date: Tue, 2 Jun 2026 22:22:10 -0400
Subject: [PATCH 1/2] feat: added version match check in publish workflow

---
 .github/workflows/publish.yml | 13 +++++++++++++
 flake.nix                     |  1 +
 2 files changed, 14 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a6be300..2790823 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,5 +20,18 @@ jobs:
             experimental-features = nix-command flakes
             accept-flake-config = true
 
+      - name: Verify tag version matches Cargo.toml version
+        run: |
+          TAG_VERSION="${{ steps.get_tag.outputs.tag }}"
+          CLEAN_TAG_VERSION="${TAG_VERSION#v}"
+          CARGO_VERSION=$(nix develop -c -- toml get Cargo.toml package.version)
+          echo "Tag version: $CLEAN_TAG_VERSION"
+          echo "Cargo.toml version: $CARGO_VERSION"
+          if [ "$CLEAN_TAG_VERSION" != "$CARGO_VERSION" ]; then
+            echo "Tag version does not match Cargo.toml version"
+            exit 1
+          fi
+        shell: bash
+
       - name: Cargo publish
         run: nix develop -c -- cargo publish
diff --git a/flake.nix b/flake.nix
index 48b3476..bceee08 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,6 +46,7 @@
                 rustToolchain
                 pkgs.nixd
                 pkgs.nil
+                pkgs.toml-cli
               ];
             };
           };

From ba516ab9a4cfcee043225b98e7bfab34f450c528 Mon Sep 17 00:00:00 2001
From: Leon Riesebos <28567817+lriesebos@users.noreply.github.com>
Date: Tue, 2 Jun 2026 22:22:36 -0400
Subject: [PATCH 2/2] fix: added crates.io trusted publishing cargo registry
 token to publish workflow

---
 .github/workflows/publish.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2790823..7b0a5b6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,10 +9,15 @@ jobs:
   publish:
     runs-on: ubuntu-24.04
     environment: release
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Trusted publishing crates.io
+        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
+        id: auth
       - name: Install Nix
         uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
         with:
@@ -35,3 +40,5 @@ jobs:
 
       - name: Cargo publish
         run: nix develop -c -- cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}