Skip to content

ci(publish): switch cargo publishing to trusted OIDC auth#403

Merged
dev-jodee merged 3 commits intomainfrom
ci/trusted-publishing-cargo
Mar 27, 2026
Merged

ci(publish): switch cargo publishing to trusted OIDC auth#403
dev-jodee merged 3 commits intomainfrom
ci/trusted-publishing-cargo

Conversation

@dev-jodee
Copy link
Copy Markdown
Contributor

@dev-jodee dev-jodee commented Mar 27, 2026
edited by devin-ai-integration bot
Loading

Summary

  • Adds id-token: write permission to the publish workflow so GitHub Actions can issue OIDC identity tokens
  • Removes CARGO_REGISTRY_TOKEN env vars from both cargo publish steps
  • cargo publish automatically exchanges the OIDC token with crates.io when no static token is present

Prerequisites (manual, before next publish run)

On crates.io, add a Trusted Publisher for both crates:

Crate Owner Repository Workflow
kora-lib solana-foundation kora rust-publish.yml
kora-cli solana-foundation kora rust-publish.yml

After a successful publish run, the KORA_CLI_REGISTRY_TOKEN secret can be removed from repository settings.

Test Plan

  • Trigger the Publish Rust Crates workflow manually after crates.io is configured
  • Confirm both publish steps succeed without the KORA_CLI_REGISTRY_TOKEN secret
Open with Devin

@dev-jodee
ci(publish): switch cargo publishing to trusted OIDC auth
7a20d9f 
Replace long-lived KORA_CLI_REGISTRY_TOKEN API token with crates.io
trusted publishing via GitHub Actions OIDC identity tokens.

Adds id-token: write permission and removes CARGO_REGISTRY_TOKEN env
vars from both publish steps. The operator must add a trusted publisher
entry on crates.io for kora-lib and kora-cli pointing to this workflow
before the next publish run.
@dev-jodee dev-jodee requested a review from amilz as a code owner March 27, 2026 14:33
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 27, 2026
edited
Loading

📊 TypeScript Coverage Report

Coverage: 33.1%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

devin-ai-integration[bot]
devin-ai-integration bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

Open in Devin Review

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 27, 2026

Greptile Summary

This PR migrates crates.io publishing authentication from a long-lived static CARGO_REGISTRY_TOKEN secret to GitHub Actions OIDC trusted publishing. Two changes are made: id-token: write is added to the workflow permissions so the runner can obtain a short-lived OIDC token, and the CARGO_REGISTRY_TOKEN environment variable is removed from both cargo publish steps so cargo automatically exchanges the OIDC token with crates.io.\n\n- The approach is technically correct — when no static token is present and id-token: write is available, cargo uses the OIDC exchange path with crates.io.\n- The prerequisite (registering a Trusted Publisher on crates.io for both kora-lib and kora-cli) must be completed before the next workflow run, as documented in the PR description.\n- CLAUDE.md (line 281) still lists KORA_CLI_REGISTRY_TOKEN under "GitHub Secrets Required" — consider updating that entry to document the new OIDC setup once the Trusted Publisher is in place and the old secret is removed.\n- Minor: id-token: write is declared at the workflow level rather than scoped to the single publish job; see inline comment.

Confidence Score: 5/5

Safe to merge — the change is a straightforward, correct migration to OIDC trusted publishing with no runtime risk once the crates.io Trusted Publisher prerequisite is configured.

All findings are P2 (style/best-practice). The core logic is correct: adding id-token: write and removing the static token env var is exactly the right mechanism for OIDC trusted publishing on crates.io. No blocking issues remain.

No files require special attention; the single changed file is straightforward.

Important Files Changed

Filename Overview
.github/workflows/rust-publish.yml Adds id-token: write at workflow level and removes both CARGO_REGISTRY_TOKEN env vars, correctly migrating from static token to crates.io OIDC trusted publishing; one minor style note about scoping the new permission to the job level instead of the workflow level.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions Runner
    participant OIDC as GitHub OIDC Provider
    participant Cargo as cargo publish
    participant CratesIO as crates.io

    GHA->>OIDC: Request OIDC token (id-token: write)
    OIDC-->>GHA: Short-lived JWT (audience: crates.io)
    GHA->>Cargo: cargo publish -p kora-lib --locked
    Cargo->>CratesIO: Exchange OIDC JWT for session token
    CratesIO-->>Cargo: Session token (verified against Trusted Publisher config)
    Cargo->>CratesIO: Publish kora-lib with session token
    CratesIO-->>Cargo: Publish success
    GHA->>GHA: Wait 30s for crates.io indexing
    GHA->>Cargo: cargo publish -p kora-cli --locked
    Cargo->>CratesIO: Exchange OIDC JWT for session token
    CratesIO-->>Cargo: Session token
    Cargo->>CratesIO: Publish kora-cli with session token
    CratesIO-->>Cargo: Publish success
Loading

Reviews (1): Last reviewed commit: "ci(publish): switch cargo publishing to ..." | Re-trigger Greptile

greptile-apps[bot]

This comment was marked as resolved.

Sign in to view

@dev-jodee @greptile-apps
Update .github/workflows/rust-publish.yml
c92afaa 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@dev-jodee
fix(ci): remove duplicate jobs key and scope id-token permission
66659f5 
The Greptile suggestion was applied incorrectly, inserting a duplicate
top-level jobs: key. YAML last-key-wins semantics caused the id-token:
write permission block to be silently discarded, leaving cargo publish
with no auth mechanism.

Fix: remove the duplicate jobs/publish block and add the permissions
block directly under the single publish job. Also update CLAUDE.md to
remove the stale KORA_CLI_REGISTRY_TOKEN secret reference.
@dev-jodee dev-jodee merged commit bc96e85 into main Mar 27, 2026
3 checks passed
@dev-jodee dev-jodee deleted the ci/trusted-publishing-cargo branch March 27, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@amilz amilz amilz approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dev-jodee @amilz