Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ci: use classic tokens for crate publishing #7801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 20, 2025
Merged

ci: use classic tokens for crate publishing #7801

merged 2 commits into from
Oct 20, 2025

Conversation

ematipico
Copy link
Member

Summary

When using trusted publishing, it means new crates must be published manually, which is still a DX drawback for us, where we add new crates quite often.

This PR switches the workflow to use the regular publishing system.

Test Plan

N/A

Docs

N/A

@ematipico ematipico requested review from a team October 20, 2025 15:55
@ematipico ematipico self-assigned this Oct 20, 2025
@changeset-bot
Copy link

changeset-bot bot commented Oct 20, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: e4432b0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 20, 2025
edited
Loading

Walkthrough

The publish CI workflow was restructured: the PR branch is explicitly checked out at a specific commit using GITHUB_TOKEN, the Rust toolchain is installed via moonrepo/setup-rust with cache-base: main, and the previous checkout/auth actions were removed. The cargo publish --workspace --token step is retained and continues to use CRATES_IO_TOKEN for crates.io authentication.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title "ci: use classic tokens for crate publishing" directly aligns with the primary change in the PR, which switches the CI workflow from trusted publishing to the regular (classic) crate publishing system. The title is concise, clear, and specific enough for someone reviewing the commit history to understand that this change modifies how crate authentication is handled in the publishing workflow. It accurately reflects the main objective without unnecessary elaboration.
Description Check ✅ Passed The description clearly explains the motivation behind the change and directly relates to the changeset. The author identifies the specific problem (trusted publishing requires manual publication of new crates, which is a DX drawback) and articulates the solution (switching to the regular publishing system). Whilst the test and documentation sections are marked N/A, this is reasonable for a CI workflow change and doesn't diminish the relevance of the description to the actual modifications.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ci/crates-publishing

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2063615 and 5f5d300.

📒 Files selected for processing (1)
  • .github/workflows/publish-crates.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Validate PR title
  • GitHub Check: triage
🔇 Additional comments (1)
.github/workflows/publish-crates.yml (1)

11-19: Verify environment variable scoping and checkout action version.

A couple of questions to confirm the workflow behaves as intended:

  1. The GITHUB_TOKEN environment variable on line 18 is nested under the Install toolchain step, but the checkout step (lines 11–12) runs first. Does the env var need to be hoisted to apply to the checkout step, or is the current placement correct?
  2. The checkout action is pinned to v4.3.0 (a downgrade from v5 mentioned in the summary). Is this intentional, or should it be updated to the latest v5?

ematipico
ematipico commented Oct 20, 2025
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f5d300 and e4432b0.

📒 Files selected for processing (1)
  • .github/workflows/publish-crates.yml (1 hunks)
🔇 Additional comments (1)
.github/workflows/publish-crates.yml (1)

10-18: Workflow structure looks sound.

The explicit checkout, Rust toolchain setup via moonrepo, and cargo publish command are all well-structured. The GITHUB_TOKEN placement at job level is appropriate for the checkout step, and using CRATES_IO_TOKEN for cargo publish is correct for classic token-based authentication.

Once the permissions block is addressed, this should be good to go.

.github/workflows/publish-crates.yml
Comment on lines 8 to 9
permissions:
id-token: write # Required for OIDC token exchange
steps:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Declare minimal required permissions explicitly.

The permissions block is empty, which defaults to the repository's default permissions—potentially overly permissive. Instead, explicitly declare minimal required permissions.

The checkout action requires contents: read; the cargo publish step doesn't need additional permissions beyond that.

  permissions:
+   contents: read
  steps:

This addresses the earlier feedback about removing id-token: write (no longer needed for classic token publishing) whilst following the principle of least privilege.

🧰 Tools
🪛 actionlint (1.7.8)

8-8: string should not be empty

(syntax-check)

8-8: "" is invalid for permission for all the scopes. available values are "read-all" and "write-all"

(permissions)

🤖 Prompt for AI Agents 
.github/workflows/publish-crates.yml around lines 8 to 9: the permissions block
is empty which falls back to repo defaults; replace it with an explicit minimal
permissions declaration (remove any id-token: write) and set at least contents:
read for the checkout action so the workflow runs with least privilege.

@ematipico ematipico merged commit a5bb31e into main Oct 20, 2025
3 checks passed
@ematipico ematipico deleted the ci/crates-publishing branch October 20, 2025 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@fireairforce fireairforce fireairforce approved these changes

Assignees

@ematipico ematipico

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ematipico @fireairforce