database: Add trustpub_data columns to the trustpub_tokens and versions tables

Author: Turbo87

crates/crates_io_database/Cargo.toml

@@ -31,5 +31,5 @@ utoipa = { version = "=5.4.0", features = ["chrono"] }
 claims = "=0.8.0"
 crates_io_test_db = { path = "../crates_io_test_db" }
 googletest = "=0.14.2"
-insta = "=1.43.1"
+insta = { version = "=1.43.1", features = ["json"] }
 tokio = { version = "=1.46.0", features = ["macros", "rt"] }

crates/crates_io_database/src/models/mod.rs

@@ -14,6 +14,7 @@ pub use self::krate::{Crate, CrateName, NewCrate, RecentCrateDownloads};
 pub use self::owner::{CrateOwner, Owner, OwnerKind};
 pub use self::team::{NewTeam, Team};
 pub use self::token::ApiToken;
+pub use self::trustpub::TrustpubData;
 pub use self::user::{NewUser, User};
 pub use self::version::{NewVersion, TopVersions, Version};
 

crates/crates_io_database/src/models/trustpub/data.rs

@@ -0,0 +1,60 @@
+use diesel::deserialize::{self, FromSql};
+use diesel::pg::{Pg, PgValue};
+use diesel::serialize::{self, Output, ToSql};
+use diesel::sql_types::Jsonb;
+use diesel::{AsExpression, FromSqlRow};
+use serde::{Deserialize, Serialize};
+
+/// Data structure containing trusted publisher information extracted from JWT claims
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, FromSqlRow, AsExpression)]
+#[diesel(sql_type = Jsonb)]
+#[serde(tag = "provider")]
+pub enum TrustpubData {
+    #[serde(rename = "github")]
+    GitHub {
+        /// Repository (e.g. "octo-org/octo-repo")
+        repository: String,
+        /// Workflow run ID
+        run_id: String,
+        /// SHA of the commit
+        sha: String,
+    },
+}
+
+impl ToSql<Jsonb, Pg> for TrustpubData {
+    fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, Pg>) -> serialize::Result {
+        let json = serde_json::to_value(self)?;
+        <serde_json::Value as ToSql<Jsonb, Pg>>::to_sql(&json, &mut out.reborrow())
+    }
+}
+
+impl FromSql<Jsonb, Pg> for TrustpubData {
+    fn from_sql(bytes: PgValue<'_>) -> deserialize::Result<Self> {
+        let json = <serde_json::Value as FromSql<Jsonb, Pg>>::from_sql(bytes)?;
+        Ok(serde_json::from_value(json)?)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use insta::assert_json_snapshot;
+
+    #[test]
+    fn test_serialization() {
+        let data = TrustpubData::GitHub {
+            repository: "octo-org/octo-repo".to_string(),
+            run_id: "example-run-id".to_string(),
+            sha: "example-sha".to_string(),
+        };
+
+        assert_json_snapshot!(data, @r#"
+        {
+          "provider": "github",
+          "repository": "octo-org/octo-repo",
+          "run_id": "example-run-id",
+          "sha": "example-sha"
+        }
+        "#);
+    }
+}

crates/crates_io_database/src/models/trustpub/mod.rs

@@ -1,7 +1,9 @@
+mod data;
 mod github_config;
 mod token;
 mod used_jti;
 
+pub use self::data::TrustpubData;
 pub use self::github_config::{GitHubConfig, NewGitHubConfig};
 pub use self::token::NewToken;
 pub use self::used_jti::NewUsedJti;

crates/crates_io_database/src/models/trustpub/token.rs

@@ -1,3 +1,4 @@
+use crate::models::TrustpubData;
 use crate::schema::trustpub_tokens;
 use chrono::{DateTime, Utc};
 use diesel::prelude::*;
@@ -9,6 +10,7 @@ pub struct NewToken<'a> {
     pub expires_at: DateTime<Utc>,
     pub hashed_token: &'a [u8],
     pub crate_ids: &'a [i32],
+    pub trustpub_data: Option<&'a TrustpubData>,
 }
 
 impl NewToken<'_> {

crates/crates_io_database/src/models/version.rs

@@ -7,7 +7,7 @@ use diesel::prelude::*;
 use diesel_async::{AsyncPgConnection, RunQueryDsl};
 use serde::Deserialize;
 
-use crate::models::{Crate, User};
+use crate::models::{Crate, TrustpubData, User};
 use crate::schema::{readme_renderings, users, versions};
 
 // Queryable has a custom implementation below
@@ -36,6 +36,7 @@ pub struct Version {
     pub homepage: Option<String>,
     pub documentation: Option<String>,
     pub repository: Option<String>,
+    pub trustpub_data: Option<TrustpubData>,
 }
 
 impl Version {
@@ -103,6 +104,7 @@ pub struct NewVersion<'a> {
     repository: Option<&'a str>,
     categories: Option<&'a [&'a str]>,
     keywords: Option<&'a [&'a str]>,
+    trustpub_data: Option<&'a TrustpubData>,
 }
 
 impl NewVersion<'_> {

crates/crates_io_database/src/schema.rs

@@ -800,6 +800,8 @@ diesel::table! {
         hashed_token -> Bytea,
         /// Unique identifiers of the crates that can be published using this token
         crate_ids -> Array<Nullable<Int4>>,
+        /// JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)
+        trustpub_data -> Nullable<Jsonb>,
     }
 }
 
@@ -1077,6 +1079,8 @@ diesel::table! {
         keywords -> Array<Nullable<Text>>,
         /// JSONB representation of the version number for sorting purposes.
         semver_ord -> Nullable<Jsonb>,
+        /// JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)
+        trustpub_data -> Nullable<Jsonb>,
     }
 }
 

crates/crates_io_database_dump/src/dump-db.toml

@@ -206,6 +206,7 @@ created_at = "private"
 expires_at = "private"
 hashed_token = "private"
 crate_ids = "private"
+trustpub_data = "private"
 
 [trustpub_used_jtis.columns]
 id = "private"
@@ -280,6 +281,8 @@ documentation = "public"
 repository = "public"
 categories = "public"
 keywords = "public"
+# The following column is private for now, until we can guarantee a stable data schema.
+trustpub_data = "private"
 
 [versions_published_by.columns]
 version_id = "private"

migrations/2025-07-04-102806_add_trustpub_data_columns/down.sql

@@ -0,0 +1,5 @@
+-- Remove trustpub_data column from versions table
+ALTER TABLE versions DROP COLUMN trustpub_data;
+
+-- Remove trustpub_data column from trustpub_tokens table  
+ALTER TABLE trustpub_tokens DROP COLUMN trustpub_data;

migrations/2025-07-04-102806_add_trustpub_data_columns/up.sql

@@ -0,0 +1,7 @@
+-- Add trustpub_data column to trustpub_tokens table
+ALTER TABLE trustpub_tokens ADD COLUMN trustpub_data JSONB;
+COMMENT ON COLUMN trustpub_tokens.trustpub_data IS 'JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)';
+
+-- Add trustpub_data column to versions table
+ALTER TABLE versions ADD COLUMN trustpub_data JSONB;
+COMMENT ON COLUMN versions.trustpub_data IS 'JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)';