Skip to content

Try out trusted publishing for crates.io #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2025
Merged

Try out trusted publishing for crates.io #69

merged 1 commit into from
Jul 2, 2025

Conversation

alexcrichton
Copy link
Member

No description provided.

@alexcrichton alexcrichton enabled auto-merge July 2, 2025 23:21
@alexcrichton alexcrichton added this pull request to the merge queue Jul 2, 2025
Merged via the queue into main with commit b7b2638 Jul 2, 2025
13 checks passed
@alexcrichton alexcrichton deleted the trusted-publish branch July 2, 2025 23:25
@Turbo87
Copy link

Turbo87 commented Jul 3, 2025

thanks for testing! let me know if you have any feedback 😉

@alexcrichton
Copy link
Member Author

Oh sure! Is here a good place to drop some minor thoughts or is there a better location?

@Turbo87
Copy link

Turbo87 commented Jul 3, 2025

Is here a good place to drop some minor thoughts

sure, yeah :)

@alexcrichton
Copy link
Member Author

Ok happy to! Overall a really nice feature, I look forward to using in larger repos. Thank you (and others!) for working on it!

Two very minor things I noticed which aren't blockers in any way:

  • The email notification about the crate previously had a source of "was published by this person" but using this approach didn't list anything there. Would it be possible to mention the repo/workflow that performed the publish? (or perhaps does crates.io get a link to the actual workflow itself? that'd be pretty neat to have a url right back to the workflow run)
  • At https://crates.io/crates/wasm-component-ld/settings/new-trusted-publisher under "Workflow filename" I was initially uncertain whether to say publish.yml or .github/workflows/publish.yml. The documentation here was clear though that publish.yml was correct. Could the text below the box have a "for example ..." indicating that?

And one slightly larger ask:

For larger repositories (e.g. Wasmtime's workspace) one thing we'll want to do is update our script to ensure that all crates in the workspace have a trusted publishing workflow registered. That'll require us to slightly change our development practices where if a new crate is added we won't be able to merge the PR until someone publishes a dummy version of the crate and registers the trusted publishing workflow, but all that seems fine to me. Question for you though, is there a way to discover through the crate.io API whether there's a trusted publishing workflow registered for a crate? That would be something our script would curl and check to use to prevent merging PRs that add new crates which don't have the trusted publishing workflow set.

@Turbo87
Copy link

Turbo87 commented Jul 3, 2025

The email notification about the crate previously had a source of "was published by this person" but using this approach didn't list anything there. Would it be possible to mention the repo/workflow that performed the publish?

I'll need to do some research, but I think that should be possible to some degree.

At https://crates.io/crates/wasm-component-ld/settings/new-trusted-publisher under "Workflow filename" I was initially uncertain whether to say publish.yml or .github/workflows/publish.yml. The documentation here was clear though that publish.yml was correct. Could the text below the box have a "for example ..." indicating that?

I thought I had included that, but apparently it got lost somehow. I'll add it back 👍

is there a way to discover through the crate.io API whether there's a trusted publishing workflow registered for a crate?

generally yes, but since we're still testing and haven't committed to the API design yet the APIs are currently limited to cookie-only authentication so that our frontend is the only API user allowed. once we're feeling confident about the design we will likely open the API up to API token auth too.

@alexcrichton
Copy link
Member Author

Nice, and sounds great! This is all nice enough I might say we should add in the auto-verification in the future and just go ahead and rely on this in the meantime...

Regardless thanks so much again for the work here!

@Turbo87 Turbo87 mentioned this pull request Jul 3, 2025
Merged
@Turbo87
Copy link

Turbo87 commented Jul 3, 2025

I thought I had included that, but apparently it got lost somehow. I'll add it back 👍

@Turbo87 Turbo87 mentioned this pull request Jul 4, 2025
Merged
@Turbo87
Copy link

Turbo87 commented Jul 4, 2025
edited
Loading

The email notification about the crate previously had a source of "was published by this person" but using this approach didn't list anything there. Would it be possible to mention the repo/workflow that performed the publish?

Unfortunately we only get the "run ID" but not the "job ID" from GitHub (see https://docs.github.com/en/actions/concepts/security/about-security-hardening-with-openid-connect), but that still seems reasonably useful :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexcrichton @Turbo87