MRE for rust-lang/crates-io-auth-action#111

Minimal reproducible example for Publishing from a subdirectory issue.

Structure

This is a Rust workspace with two crates:

• konsti-bar - Main crate at the repository root
• konsti-foo - Helper crate in a subdirectory

Both crates have proper metadata (description, license, repository) and are ready to publish.

Problem

When attempting to publish konsti-foo using GitHub Actions with trusted publishing, the workflow fails with:

Error: Failed to retrieve token from Cargo registry. Status: 400.
Error: The Trusted Publishing config for repository `konsti-bar` does not match
the workflow filename `publish-konsti-foo.yml` in the JWT.
Expected workflow filenames: `publish-konsti-bar.yml`

Root Cause

The Cargo registry's trusted publishing validation checks the workflow filename in the JWT against the configured workflow filenames. When you configure trusted publishing for a repository, it associates the workflow filename with the main crate. When you try to publish a subdirectory crate with a different workflow filename, validation fails.

Reproduction Steps

1. Configure trusted publishing on crates.io for konsti-bar with workflow publish-konsti-bar.yml
2. Try to publish konsti-foo using the publish-konsti-foo.yml workflow
3. The action will fail with the error message above

Workflows

• .github/workflows/publish-konsti-bar.yml - Works correctly for main crate
• .github/workflows/publish-konsti-foo.yml - Fails due to workflow name mismatch

Expected Behavior

Trusted publishing should support publishing subdirectory crates with their own workflow files, or allow specifying multiple workflow filenames in the trusted publishing configuration.

Current Workaround

Use a single workflow file that publishes both crates conditionally, but this couples the release process of independent crates.