Skip to content

Configure Trusted Publishing for crates.io #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bug-ops merged 2 commits into from
Dec 16, 2025
Merged

Configure Trusted Publishing for crates.io #25

bug-ops merged 2 commits into from
Dec 16, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 16, 2025
edited
Loading

Migrates crates.io publishing from manual CARGO_REGISTRY_TOKEN secret to OIDC-based Trusted Publishing, matching existing PyPI and npm configurations.

Changes

.github/workflows/release.yml - Updated crates-publish job:

  • Added permissions.id-token: write for OIDC token generation
  • Added environment.name: crates for deployment protection
  • Replaced manual token with rust-lang/crates-io-auth-action@v1 authentication
  • Token now ephemeral (30m TTL) instead of long-lived secret
  crates-publish:
    name: "Crates: Publish"
    runs-on: ubuntu-latest
    needs: crates-verify
    timeout-minutes: 15
+   permissions:
+     id-token: write
+     contents: read
+   environment:
+     name: crates
+     url: https://crates.io/crates/feedparser-rs
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
+     - name: Authenticate with crates.io
+       uses: rust-lang/crates-io-auth-action@v1
+       id: auth
      - name: Publish to crates.io
        run: cargo publish -p feedparser-rs
        env:
-         CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+         CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

Manual Configuration Required

Before next release:

  1. Configure trusted publisher on crates.io: bug-ops/feedparser-rs → workflow release.yml → environment crates
  2. Create GitHub environment crates with deployment branch restriction to v* tags
  3. Delete CARGO_REGISTRY_TOKEN secret after successful deployment

Security Impact

  • Eliminates long-lived API token
  • Tokens scoped to repository/workflow
  • Better supply chain auditability
  • Consistent security posture across all registries (PyPI, npm, crates.io)
Original prompt

This section details on the original issue you should resolve

<issue_title>Configure Trusted Publishing for crates.io</issue_title>
<issue_description>## Summary

Migrate crates.io publishing from manual API token (CARGO_REGISTRY_TOKEN secret) to Trusted Publishing with OIDC, similar to how PyPI and npm are already configured.

Background

Crates.io now supports Trusted Publishing, which eliminates the need for long-lived API tokens. This is more secure because:

  • No manual token creation or rotation needed
  • Tokens are scoped to specific repositories and workflows
  • Short-lived tokens (30 minutes) that automatically expire
  • Better auditability and supply chain security

Current State

Registry Trusted Publishing
PyPI ✅ Configured
npm ✅ Configured (with provenance)
crates.io ❌ Uses CARGO_REGISTRY_TOKEN secret

Implementation Steps

1. Configure on crates.io (manual)

  1. Go to crates.io settings for the feedparser-rs crate
  2. Navigate to "Trusted Publishers" section
  3. Add GitHub as a trusted publisher:
    • Repository owner: bug-ops
    • Repository name: feedparser-rs
    • Workflow filename: release.yml
    • Environment: crates (optional, for extra protection)

2. Update GitHub Actions workflow

Replace the current crates-publish job:

crates-publish:
  name: "Crates: Publish"
  runs-on: ubuntu-latest
  needs: crates-verify
  timeout-minutes: 15
  permissions:
    id-token: write
    contents: read
  environment:
    name: crates
    url: https://crates.io/crates/feedparser-rs
  steps:
    - uses: actions/checkout@v6
    - uses: dtolnay/rust-toolchain@stable
    - uses: Swatinem/rust-cache@v2
    - name: Authenticate with crates.io
      uses: rust-lang/crates-io-auth-action@v1
      id: auth
    - name: Publish to crates.io
      run: cargo publish -p feedparser-rs
      env:
        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

3. Create GitHub Environment (optional but recommended)

  1. Go to repository Settings → Environments
  2. Create environment named crates
  3. Add protection rules:
    • Required reviewers (optional)
    • Deployment branches: only main or tags matching v*

4. Cleanup

After successful release with Trusted Publishing:

  • Delete the CARGO_REGISTRY_TOKEN secret from repository settings

References

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@bug-ops
feat: Configure Trusted Publishing for crates.io
b1b34b3 
Replace manual CARGO_REGISTRY_TOKEN secret with OIDC-based Trusted Publishing.

Changes:
- Add permissions.id-token: write for OIDC token generation
- Add permissions.contents: read for checkout access
- Configure 'crates' environment with crates.io URL
- Use rust-lang/crates-io-auth-action@v1 for authentication
- Update CARGO_REGISTRY_TOKEN to use ephemeral token from auth action

This matches the existing PyPI and npm Trusted Publishing configurations.

Co-authored-by: bug-ops <[email protected]>
Copilot AI changed the title [WIP] Configure Trusted Publishing for crates.io Configure Trusted Publishing for crates.io Dec 16, 2025
Copilot AI requested a review from bug-ops December 16, 2025 18:54
@bug-ops bug-ops marked this pull request as ready for review December 16, 2025 18:56
@github-actions github-actions bot added type: tooling Development tools, CI/CD, or infrastructure component: core feedparser-rs-core Rust library component: python Python bindings (PyO3) component: node Node.js bindings (napi-rs) component: ci CI/CD workflows and automation size: S Small PR (<50 lines changed) labels Dec 16, 2025
@codecov-commenter
Copy link

codecov-commenter commented Dec 16, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

Impacted file tree graph

@@           Coverage Diff           @@
##             main      #25   +/-   ##
=======================================
  Coverage   90.75%   90.75%           
=======================================
  Files          32       32           
  Lines        6175     6175           
=======================================
  Hits         5604     5604           
  Misses        571      571
Flag Coverage Δ
rust-core 90.75% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bug-ops bug-ops merged commit 0a9bebf into main Dec 16, 2025
36 of 56 checks passed
@bug-ops bug-ops deleted the copilot/configure-trusted-publishing branch December 16, 2025 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bug-ops bug-ops bug-ops approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bug-ops bug-ops

Copilot code review Copilot

Labels

component: ci CI/CD workflows and automation component: core feedparser-rs-core Rust library component: node Node.js bindings (napi-rs) component: python Python bindings (PyO3) size: S Small PR (<50 lines changed) type: tooling Development tools, CI/CD, or infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Configure Trusted Publishing for crates.io

3 participants

@codecov-commenter @bug-ops