firebase-admin 0.1.1

An open-source Firebase Admin SDK for Rust, starting with Authentication
Documentation
# Publishes to crates.io and cuts GitHub Releases using a token with
# elevated permissions (CARGO_REGISTRY_TOKEN) — every action used here is
# pinned to an immutable commit SHA (not a mutable version tag) so a
# hijacked/re-tagged upstream Action cannot silently inject code into this
# workflow and exfiltrate that token or push unreviewed releases.
name: Release-plz

on:
  push:
    branches: [main]

# Least-privilege default: no permissions unless a job explicitly requests
# them below.
permissions: {}

jobs:
  release-plz:
    name: Release-plz
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          fetch-depth: 0
      - uses: actions-rust-lang/setup-rust-toolchain@166cdcfd11aee3cb47222f9ddb555ce30ddb9659 # v1.17.0
      - uses: MarcoIeni/release-plz-action@e8792575c7f2366cf6ff3ccc33ead9ace5b691c7 # v0.5.130
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

  checksums:
    name: Attach SHA-256 checksums to the GitHub Release
    needs: release-plz
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - uses: actions-rust-lang/setup-rust-toolchain@166cdcfd11aee3cb47222f9ddb555ce30ddb9659 # v1.17.0
      - name: Build a release-mode source distribution and checksum it
        run: |
          set -euo pipefail
          cargo package --allow-dirty
          cd target/package
          sha256sum ./*.crate > SHA256SUMS.txt
          cat SHA256SUMS.txt
      - name: Attach checksums to the matching GitHub Release, if one exists
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          version="$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[0].version')"
          tag="v${version}"
          if gh release view "$tag" >/dev/null 2>&1; then
            gh release upload "$tag" target/package/SHA256SUMS.txt --clobber
          else
            echo "No GitHub Release found for tag $tag yet; skipping checksum upload."
          fi