Save and show JWT claims subset when Trusted Publishing is used #11513
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Turbo87
added
the
C-enhancement ✨
…ble to the `versions` table
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For regular publishes we save and show the user that published the new version. For Trusted Publishing we currently don't do anything like that.
This PR proposes a new
versions.trustpub_dataJSONB column with aproviderfield and a subset of the relevant JWT claims. Specifically for GitHub Actions we save:repository(e.g. "rust-lang/crates.io"), therun_id(to be able to create URLs like https://github.com/rust-lang/crates.io/actions/runs/16069002415), and thesha(not visibly exposed yet, but could be quite useful in the future).The frontend is then showing the data on the version list, roughly like we do for the user publishers:
The "GitHub" label in this screenshot is clickable and leads to the corresponding job page on GitHub.
Similarly, the publish notification email template is adjusted to also show if versions were published by GitHub Actions via Trusted Publishing.
Note that this PR also adds a similar column to the
trustpub_tokenstable. At the time of publishing the JWT is no longer available, so we need to save the data during the token exchange and then copy it from one table to the other when crates are published with a Trusted Publishing token.Related: