From e3a67b07592f9ef3fea1fe840acc160b5e9af924 Mon Sep 17 00:00:00 2001
From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com>
Date: Fri, 19 Jun 2026 09:51:39 +0200
Subject: [PATCH] explain trusted publishing environment rules

---
 src/infra/docs/trusted-publishing.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/infra/docs/trusted-publishing.md b/src/infra/docs/trusted-publishing.md
index 5499e94ba..128ed074a 100644
--- a/src/infra/docs/trusted-publishing.md
+++ b/src/infra/docs/trusted-publishing.md
@@ -43,6 +43,26 @@ publish-environment = "publish"
 ...
 ```
 
+### Environment rules
+
+The environment rules should match the event that triggers the publish
+GitHub Actions workflow.
+
+For example, if the publish is triggered by:
+
+```yaml
+on:
+  push:
+    tags: ["v*"]
+```
+
+then the environment should allow the workflow to run on the same tags pushes:
+
+```toml
+[environments.publish]
+tags = ["v*"]
+```
+
 ## 3. Write the GitHub Actions workflow
 
 Every workflow that publishes to crates.io through trusted publishing needs: