Merge pull request #2 from anthropics/setup-artifactory-publishing #1

	# Security notes:
	# - GitHub-owned actions (actions/checkout) use tag pins
	# - Third-party actions (jfrog/setup-jfrog-cli) are pinned to full commit SHAs
	# - Rust toolchain comes from the runner's pre-installed rustup
	# - The publish environment requires the anthropic-1.49.0 branch
	name: Publish to Artifactory

	on:
	push:
	branches:
	- anthropic-1.49.0

	permissions:
	contents: read
	id-token: write

	jobs:
	publish:
	runs-on: ubuntu-latest
	environment: publish
	steps:
	- uses: actions/checkout@v4

	- name: Setup Rust
	run: \|
	rustup default stable
	rustup show

	- name: Setup JFrog CLI
	uses: jfrog/setup-jfrog-cli@ff5cb544114ffc152db9cea1cd3d5978d5074946 # v4.5.11
	env:
	JF_URL: https://artifactory.infra.ant.dev
	with:
	oidc-provider-name: github
	oidc-audience: jfrog-github

	- name: Configure Cargo
	run: \|
	ARTIFACTORY_TOKEN=$(jf config show \| grep "Access Token" \| awk '{print $3}')
	mkdir -p ~/.cargo
	cat >> ~/.cargo/config.toml << EOF
	[registries.crates-internal]
	index = "sparse+https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/"
	credential-provider = ["cargo:token"]
	EOF
	# TODO: Consider adding crates-io source replacement through Artifactory proxy
	# once OIDC token read access to the crates-io proxy is confirmed.
	# For now, cargo resolves dependencies from public crates.io directly.
	cargo login --registry crates-internal <<< "Bearer ${ARTIFACTORY_TOKEN}"

	- name: Publish tokio to Artifactory
	run: \|
	cd tokio
	cargo publish --registry crates-internal --allow-dirty

Provide feedback