fix: improve publish auth and add debugging

njsmith · njsmith · commit 1cf411f6126b · 2026-03-17T02:37:34.000Z
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,7 +1,8 @@
 # Security notes:
-# - GitHub-owned actions (actions/checkout) use tag pins
-# - Third-party actions (jfrog/setup-jfrog-cli) are pinned to full commit SHAs
-# - Rust toolchain comes from the runner's pre-installed rustup
+# - GitHub-owned actions use tag pins, third-party actions use SHA pins
+# - Only two external actions: actions/checkout (GitHub-owned) and
+#   jfrog/setup-jfrog-cli (allowlisted, handles OIDC auth)
+# - Rust toolchain uses the runner's pre-installed rustup
 # - The publish environment requires the anthropic-1.49.0 branch
 name: Publish to Artifactory
 
@@ -27,28 +28,48 @@ jobs:
           rustup show
 
       - name: Setup JFrog CLI
+        id: setup-jfrog
         uses: jfrog/setup-jfrog-cli@ff5cb544114ffc152db9cea1cd3d5978d5074946  # v4.5.11
         env:
           JF_URL: https://artifactory.infra.ant.dev
         with:
           oidc-provider-name: github
           oidc-audience: jfrog-github
 
-      - name: Configure Cargo
+      - name: Configure Cargo Registry
         run: |
-          ARTIFACTORY_TOKEN=$(jf config show | grep "Access Token" | awk '{print $3}')
           mkdir -p ~/.cargo
-          cat >> ~/.cargo/config.toml << EOF
+          cat >> ~/.cargo/config.toml << 'EOF'
           [registries.crates-internal]
           index = "sparse+https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/"
           credential-provider = ["cargo:token"]
           EOF
-          # TODO: Consider adding crates-io source replacement through Artifactory proxy
-          # once OIDC token read access to the crates-io proxy is confirmed.
-          # For now, cargo resolves dependencies from public crates.io directly.
-          cargo login --registry crates-internal <<< "Bearer ${ARTIFACTORY_TOKEN}"
+
+      - name: Debug - Verify Access
+        env:
+          CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN: "Bearer ${{ steps.setup-jfrog.outputs.oidc-token }}"
+        run: |
+          echo "=== Token check ==="
+          echo "Token length: ${#CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN}"
+          echo "Token starts with Bearer: $(echo "$CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN" | grep -c '^Bearer ')"
+
+          echo ""
+          echo "=== JFrog CLI ping ==="
+          jf rt ping
+
+          echo ""
+          echo "=== Cargo config ==="
+          cat ~/.cargo/config.toml
+
+          echo ""
+          echo "=== curl test (with auth) ==="
+          curl -sI -H "Authorization: ${CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN}" \
+            "https://artifactory.infra.ant.dev/artifactory/api/cargo/crates-internal/index/to/ki/tokio" \
+            2>&1 | grep -E "HTTP|WWW-Auth" || true
 
       - name: Publish tokio to Artifactory
+        env:
+          CARGO_REGISTRIES_CRATES_INTERNAL_TOKEN: "Bearer ${{ steps.setup-jfrog.outputs.oidc-token }}"
         run: |
           cd tokio
           cargo publish --registry crates-internal --allow-dirty
