From 7db452a11d5d8b3ee16b72d2206199966534eb1c Mon Sep 17 00:00:00 2001
From: shawn <shineoutgx@gmail.com>
Date: Tue, 26 May 2026 09:12:33 +0800
Subject: [PATCH 1/2] ci: auto-publish to crates.io on tag release

Adds a publish-crate job after the GitHub Release job so tagged
versions land on crates.io without a manual cargo publish step.
Requires the CARGO_REGISTRY_TOKEN repository secret.
---
 .github/workflows/release.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e98a732..35e8b7a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -105,3 +105,20 @@ jobs:
             artifacts/SHA256SUMS
             install.sh
             uninstall.sh
+
+  publish-crate:
+    name: Publish to crates.io
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install system dependencies
+        run: sudo apt-get update && sudo apt-get install -y libfontconfig1-dev
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Publish
+        run: cargo publish --locked --token ${{ secrets.CARGO_REGISTRY_TOKEN }}

From c1a8fca18123862a4c80b064292c4b93af46f58a Mon Sep 17 00:00:00 2001
From: shawn <shineoutgx@gmail.com>
Date: Tue, 26 May 2026 09:29:19 +0800
Subject: [PATCH 2/2] ci: harden publish-crate job per review

- Pass CARGO_REGISTRY_TOKEN via env, not as shell-interpolated arg
- Gate on tag ref so workflow_dispatch on non-tag commits is skipped
- Verify tag version matches Cargo.toml before publishing
- Drop rust-cache (no prior build step to benefit from it)
---
 .github/workflows/release.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 35e8b7a..4ab93fe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -109,6 +109,7 @@ jobs:
   publish-crate:
     name: Publish to crates.io
     needs: release
+    if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -118,7 +119,13 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@stable
 
-      - uses: Swatinem/rust-cache@v2
+      - name: Verify tag matches Cargo.toml version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          CARGO_VERSION=$(grep '^version' Cargo.toml | head -1 | cut -d'"' -f2)
+          [ "$TAG_VERSION" = "$CARGO_VERSION" ] || { echo "Tag $TAG_VERSION != Cargo $CARGO_VERSION"; exit 1; }
 
       - name: Publish
-        run: cargo publish --locked --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        run: cargo publish --locked