dotprot 0.1.0

Lock up .env files (and anything in .prot) inside a 1Password vault.
# Publish to crates.io on a version tag.
#
# Kept separate from the cargo-dist-generated release.yml (which dist owns and
# regenerates). This handles the `cargo install dotprot` channel.
#
# Requires a repository secret CARGO_REGISTRY_TOKEN (a crates.io API token).
name: Publish to crates.io

on:
  push:
    tags:
      - "v*.*.*"

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Verify tag matches Cargo.toml version
        env:
          # Pass the (semi-trusted) tag name via env, never inline ${{ }} in run.
          TAG_NAME: ${{ github.ref_name }}
        run: |
          tag="${TAG_NAME#v}"
          crate="$(cargo metadata --no-deps --format-version 1 \
            | grep -m1 '"version":' | sed -E 's/.*"version": *"([^"]+)".*/\1/')"
          if [ "$tag" != "$crate" ]; then
            echo "Tag v$tag does not match Cargo.toml version $crate" >&2
            exit 1
          fi

      - name: Publish
        env:
          # cargo reads the token from this env var; keeps it off the command line.
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
        run: cargo publish