[41.0.0] Migrate this workspace to using trusted publishing (#12277)

* Migrate this workspace to using trusted publishing (#12257)

This commit updates CI config and such to ensure that we're compatible
with crates.io-based trusted publishing. Eventually we'll want the
restriction that only `wasmtime-publish` is the user on all of our
crates, but for now this needs to land and get backported before that's
done.

Changes here are:

* The `publish-to-cratesio.yml` workflow now uses
  `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token.
  The in-repository secret is no longer used.
* The `publish-to-cratesio.yml` workflow has a new github "Environment"
  it runs in named `publish`
* The publish script no longer adds the
  `github:bytecodealliance:wasmtime-publish` user to crates.
* The publish script now verifies that the `wasmtime-publish` github
  users is on all crates.
* Eventually the publish script will verify that it's the only user on
  all the crates, but that's left for a future PR.

External changes are:

* A new `publish` "Environment" was added to this repository.
* All crates are configured on crates.io to have a trusted publishing
  workflow for this repository.
* All crates now require being published through a trusted publishing
  workflow.

My plan is to backport this to the 40.0.0 branch, run a point release,
fix anything that comes up, and then backport this to all supported
branches of Wasmtime.

* Update cargo-vet with trusted publishing support (#12285)

This updates the `cargo vet` used in CI to include support for trusted
publishing. This is necessary now that the latest version of Wasmtime
(40.0.1) is published with trusted publishing. I'm not entirely sure why
this is necessary, but it's going to be inevitable in the future anyway
as we transition to trusted publishing.

The `cargo vet` tool is now installed from git and new wildcard audits
for all wasmtime, wasm-tools, and wit-bindgen crates are added for the
appropriate trusted-publisher. Maintainers will need to install
cargo-vet from git as well, but unfortunately after the publish of
40.0.1 yesterday I don't think we have an option as otherwise CI is
broken.

Author: alexcrichton

.github/actions/install-cargo-vet/action.yml

@@ -5,7 +5,7 @@ inputs:
   version:
     description: 'Version to install'
     required: false
-    default: '0.10.0'
+    default: '8b40d6351ed9758a73a4a0bf2c930c17a35c5e15'
 
 runs:
   using: composite
@@ -16,5 +16,11 @@ runs:
         key: cargo-vet-bin-${{ inputs.version }}
     - run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
       shell: bash
-    - run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ inputs.version }} cargo-vet --locked
+    - run: |
+        cargo install \
+          --root ${{ runner.tool_cache }}/cargo-vet \
+          --rev ${{ inputs.version }} \
+          --git https://github.com/mozilla/cargo-vet \
+          --locked \
+          cargo-vet
       shell: bash

.github/workflows/publish-to-cratesio.yml

@@ -9,26 +9,32 @@ on:
     tags:
     - 'v*'
 
+permissions:
+  id-token: write
+
 jobs:
   publish:
     if: github.repository == 'bytecodealliance/wasmtime'
     runs-on: ubuntu-latest
+    environment: publish
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: true
     - run: rustup update stable && rustup default stable
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
     - run: |
         rustc scripts/publish.rs
         ./publish publish
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
-    
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+
     # Manifest and publish the wasi-preview1-component-adapter-provider
     - uses: ./.github/actions/fetch-run-id
     - uses: ./.github/actions/build-adapter-provider
       with:
         run-id: ${{ env.COMMIT_RUN_ID }}
     - run: cargo publish -p wasi-preview1-component-adapter-provider --allow-dirty
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

scripts/publish.rs

@@ -31,7 +31,6 @@ const CRATES_TO_PUBLISH: &[&str] = &[
     "cranelift-bforest",
     "cranelift-codegen-shared",
     "cranelift-codegen-meta",
-    "cranelift-egraph",
     "cranelift-control",
     "cranelift-codegen",
     "cranelift-reader",
@@ -52,8 +51,6 @@ const CRATES_TO_PUBLISH: &[&str] = &[
     // wiggle
     "wiggle-generate",
     "wiggle-macro",
-    // winch
-    "winch",
     // wasmtime
     "wasmtime-internal-error",
     "wasmtime-internal-versioned-export-macros",
@@ -472,34 +469,6 @@ fn publish(krate: &Crate) -> bool {
         return false;
     }
 
-    // After we've published then make sure that the `wasmtime-publish` group is
-    // added to this crate for future publications. If it's already present
-    // though we can skip the `cargo owner` modification.
-    let Some(output) = curl(&format!(
-        "https://crates.io/api/v1/crates/{}/owners",
-        krate.name
-    )) else {
-        return false;
-    };
-    if output.contains("wasmtime-publish") {
-        println!(
-            "wasmtime-publish already listed as an owner of {}",
-            krate.name
-        );
-        return true;
-    }
-
-    // Note that the status is ignored here. This fails most of the time because
-    // the owner is already set and present, so we only want to add this to
-    // crates which haven't previously been published.
-    run_cmd(
-        Command::new("cargo")
-            .arg("owner")
-            .arg("-a")
-            .arg("github:bytecodealliance:wasmtime-publish")
-            .arg(&krate.name),
-    );
-
     true
 }
 
@@ -614,26 +583,42 @@ fn verify(crates: &[Crate]) {
     fn verify_crates_io(krate: &Crate) {
         let name = &krate.name;
         let Some(owners) = curl(&format!("https://crates.io/api/v1/crates/{name}/owners")) else {
-            panic!("failed to get owners for {name}", name = name);
+            panic!(
+                "
+failed to get owners for {name}
+
+If this crate does not exist on crates.io yet please ping wasmtime maintainers
+to add the crate on crates.io as a small shim. When doing so please remind them
+that the trusted publishing workflow must be configured as well.
+",
+                name = name,
+            );
         };
 
-        let assert_owner = |owner: &str| {
-            let owner_json = format!("\"{owner}\"");
-            if !owners.contains(&owner_json) {
-                panic!(
-                    "
-crate {name} is not owned by {owner}, please run:
+        // This is the id of the `wasmtime-publish` user on crates.io
+        if !owners.contains("\"id\":73222,") {
+            panic!(
+                "
+crate {name} is not owned by wasmtime-publish, please run:
 
-    cargo owner -a {owner} {name}
+    cargo owner -a wasmtime-publish {name}
 ",
-                    name = name
-                );
-            }
-        };
+                name = name,
+            );
+        }
+
+        // TODO: waiting for trusted publishing to be proven to work before
+        // activating this.
+        if false && owners.split("\"id\"").count() != 2 {
+            panic!(
+                "
+crate {name} is not exclusively owned by wasmtime-publish
 
-        // the wasmtime-publish github user
-        assert_owner("wasmtime-publish");
-        // the BA team which can publish crates
-        assert_owner("github:bytecodealliance:wasmtime-publish");
+Please contact wasmtime maintainers to ensure that `wasmtime-publish` is the
+only listed owner of the crate.
+",
+                name = name,
+            );
+        }
     }
 }