chore(ci): use crates.io trusted publishing in release-plz#9793
Merged
Conversation
Replaces the long-lived CARGO_REGISTRY_TOKEN secret with an OIDC-minted, 30-minute token via rust-lang/crates-io-auth-action. Requires each published crate (mise, vfox, aqua-registry, mise-interactive-config) to have a Trusted Publisher configured on crates.io pointing at this workflow. See: https://crates.io/docs/trusted-publishing Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Contributor
Greptile SummaryReplaces the long-lived
Confidence Score: 5/5Safe to merge once the crates.io trusted publisher entries are configured as described in the PR checklist. The change is a targeted credential hygiene improvement: long-lived secret replaced by a 30-minute OIDC token, permissions narrowed to job scope, action SHA-pinned. The 20-minute job timeout keeps execution well within the token's validity window, and both auth methods work simultaneously so rollout is safe. No files require special attention; the only prerequisite is the out-of-band crates.io trusted publisher setup documented in the PR. Important Files Changed
Reviews (2): Last reviewed commit: "chore(ci): scope release-plz permissions..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Move pull-requests/contents/id-token permissions from workflow scope to the release-plz job. Limits the OIDC capability to the only job that needs it if more jobs are added later. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.6 x -- echo |
18.3 ± 0.8 | 16.9 | 22.2 | 1.00 |
mise x -- echo |
18.7 ± 1.1 | 16.7 | 32.3 | 1.02 ± 0.07 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.6 env |
18.3 ± 0.9 | 16.3 | 22.8 | 1.00 |
mise env |
18.3 ± 0.7 | 16.6 | 21.6 | 1.00 ± 0.06 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.6 hook-env |
19.3 ± 0.9 | 17.7 | 24.6 | 1.00 |
mise hook-env |
19.5 ± 0.9 | 17.5 | 23.2 | 1.01 ± 0.06 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.6 ls |
15.7 ± 0.7 | 14.1 | 19.2 | 1.00 |
mise ls |
15.9 ± 0.8 | 13.9 | 20.7 | 1.02 ± 0.07 |
xtasks/test/perf
| Command | mise-2026.5.6 | mise | Variance |
|---|---|---|---|
| install (cached) | 123ms | 125ms | -1% |
| ls (cached) | 58ms | 57ms | +1% |
| bin-paths (cached) | 61ms | 63ms | -3% |
| task-ls (cached) | 484ms | 486ms | +0% |
3 tasks
jdx
added a commit
that referenced
this pull request
May 12, 2026
…#9794) ## Summary The `aube` section of [test_npm_package_manager](e2e/backend/test_npm_package_manager) installed `aube@latest` while bypassing `MISE_MINIMUM_RELEASE_AGE`. aube v1.11.0 published on 2026-05-11T22:05Z broke `aube add --global npm:tiny@... --reporter append-only`, and the next `e2e-4` run on main (2026-05-12T00:37Z) failed — even though the previous main run at 19:58Z was green. Two changes: - **Pin to `aube@1.10.4`** (the last known-good release before 1.11.0). Matches the pinning style already used for `pnpm@10.16.0` in the same file. - **Print the aube debug log on install failure** so future regressions are diagnosable from CI logs alone, mirroring the existing pattern in the pnpm block. ## Background Symptom on main (run [25705764714 / e2e-4](https://github.com/jdx/mise/actions/runs/25705764714/job/75475700001)): ``` $ MISE_DEBUG=1 mise install >'.../aube_debug.log' 2>&1 ##[error][MISE_DEBUG=1 mise install >...] command failed with status 1 ``` The current test uses `assert_succeed` which doesn't print captured output on failure — the second change above fixes that. This PR does **not** investigate the underlying aube v1.11.0 regression; that should be filed separately against endevco/aube. The pin keeps mise's own CI green in the meantime. ## Test plan - [ ] e2e-4 turns green on this PR - [ ] After this lands, re-run [PR #9793](#9793) to confirm it goes green - [ ] Open an issue (or PR) against endevco/aube for the v1.11.0 install regression 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: changes are confined to an e2e shell test and only affect CI diagnostics and dependency pinning, not production behavior. > > **Overview** > Pins the `aube` install used by `e2e/backend/test_npm_package_manager` to an explicit `AUBE_TEST_VERSION` instead of `@latest` (still bypassing `MISE_MINIMUM_RELEASE_AGE`) to avoid CI breakage from upstream releases. > > Updates the `aube` install step to **dump the captured debug log and fail fast** when `mise install` errors, making CI failures diagnosable from logs. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 0e55ffc. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mise-en-dev
added a commit
that referenced
this pull request
May 13, 2026
### 🐛 Bug Fixes - **(backend)** use runtime paths for backend bin dirs by @risu729 in [#9606](#9606) - **(ci)** preserve vendor/aqua-registry/ in PPA publish workflow by @jdx in [#9782](#9782) - **(ci)** set UTF-8 locale in e2e Docker image by @jdx in [#9820](#9820) - **(ci)** pass UTF-8 locale through to e2e tests by @jdx in [#9823](#9823) - **(conda)** dedup repodata by archive identifier instead of URL by @jdx in [#9831](#9831) - **(github)** use default shell for credential command by @risu729 in [#9664](#9664) - **(settings)** distinguish unset known settings from unknown ones by @jdx in [#9818](#9818) - **(upgrade)** remove completed progress jobs to prevent duplicate output by @jdx in [#9779](#9779) - **(vfox)** resolve GitHub token lazily inside Lua plugins by @jdx in [#9816](#9816) ### 🚜 Refactor - **(config)** separate core and backend tool options by @risu729 in [#9753](#9753) - **(schema)** reuse env directive property schemas by @risu729 in [#9651](#9651) ### 📚 Documentation - **(aliases)** fix Aliased Versions example and drop stale asdf callout by @jdx in [#9830](#9830) ### ⚡ Performance - **(aqua)** use phf for baked registry lookups by @risu729 in [#9763](#9763) - **(task)** cache per-file content hashes for source_freshness_hash_contents by @jdx in [#9819](#9819) ### 🧪 Testing - **(e2e)** pin aube to known-good version in npm package_manager test by @jdx in [#9794](#9794) ### 📦 Registry - replace unsupported exe options by @risu729 in [#9587](#9587) - update pi by @garysassano in [#9792](#9792) ### Chore - **(ci)** use non-large runners for release builds by @jdx in [#9786](#9786) - **(ci)** compare registry PRs from fork point by @risu729 in [#9643](#9643) - **(ci)** make build-copr.sh the single source of truth for COPR chroots by @jdx in [#9788](#9788) - **(ci)** use crates.io trusted publishing in release-plz by @jdx in [#9793](#9793) - **(ci)** remove autofix.ci workflow by @jdx in [#9801](#9801) - **(ci)** restore -large runner for Linux release builds by @jdx in [#9815](#9815) - **(ci)** add zizmor workflow for github actions security analysis by @jdx in [#9804](#9804) - **(ci)** assert mise run render produces no diff by @jdx in [#9803](#9803) - **(copr)** publish EL9 builds via centos-stream+epel-next-9 chroot by @jdx in [#9787](#9787) ### Ci - remove pull_request_target workflow by @jdx in [#9799](#9799) - remove caching from publishing workflows by @jdx in [#9800](#9800) ### Security - reject shell metacharacters in version strings and CI inputs by @jdx in [#9814](#9814) ## 📦 Aqua Registry Updates ### New Packages (11) - [`Code-Hex/Neo-cowsay`](https://github.com/Code-Hex/Neo-cowsay) - [`SonarSource/sonarqube-cli`](https://github.com/SonarSource/sonarqube-cli) - [`earendil-works/pi`](https://github.com/earendil-works/pi) - [`hylo-lang/hylo-new`](https://github.com/hylo-lang/hylo-new) - [`jfernandez/bpftop`](https://github.com/jfernandez/bpftop) - [`modem-dev/hunk`](https://github.com/modem-dev/hunk) - [`npm/cli`](https://github.com/npm/cli) - [`racket/racket/minimal`](https://github.com/racket/racket) - [`slackapi/slack-cli`](https://github.com/slackapi/slack-cli) - [`vectordotdev/vector`](https://github.com/vectordotdev/vector) - [`wasilibs/go-yamllint`](https://github.com/wasilibs/go-yamllint) ### Updated Packages (10) - [`DataDog/pup`](https://github.com/DataDog/pup) - [`aquasecurity/trivy`](https://github.com/aquasecurity/trivy) - [`astral-sh/uv`](https://github.com/astral-sh/uv) - [`caarlos0/svu`](https://github.com/caarlos0/svu) - [`cargo-bins/cargo-binstall`](https://github.com/cargo-bins/cargo-binstall) - [`foundry-rs/foundry`](https://github.com/foundry-rs/foundry) - [`gastownhall/beads`](https://github.com/gastownhall/beads) - [`gruntwork-io/terragrunt`](https://github.com/gruntwork-io/terragrunt) - [`pnpm/pnpm`](https://github.com/pnpm/pnpm) - [`santosr2/TerraTidy`](https://github.com/santosr2/TerraTidy)
3PeatVR
pushed a commit
to 3PeatVR/mise
that referenced
this pull request
May 14, 2026
### 🐛 Bug Fixes - **(backend)** use runtime paths for backend bin dirs by @risu729 in [jdx#9606](jdx#9606) - **(ci)** preserve vendor/aqua-registry/ in PPA publish workflow by @jdx in [jdx#9782](jdx#9782) - **(ci)** set UTF-8 locale in e2e Docker image by @jdx in [jdx#9820](jdx#9820) - **(ci)** pass UTF-8 locale through to e2e tests by @jdx in [jdx#9823](jdx#9823) - **(conda)** dedup repodata by archive identifier instead of URL by @jdx in [jdx#9831](jdx#9831) - **(github)** use default shell for credential command by @risu729 in [jdx#9664](jdx#9664) - **(settings)** distinguish unset known settings from unknown ones by @jdx in [jdx#9818](jdx#9818) - **(upgrade)** remove completed progress jobs to prevent duplicate output by @jdx in [jdx#9779](jdx#9779) - **(vfox)** resolve GitHub token lazily inside Lua plugins by @jdx in [jdx#9816](jdx#9816) ### 🚜 Refactor - **(config)** separate core and backend tool options by @risu729 in [jdx#9753](jdx#9753) - **(schema)** reuse env directive property schemas by @risu729 in [jdx#9651](jdx#9651) ### 📚 Documentation - **(aliases)** fix Aliased Versions example and drop stale asdf callout by @jdx in [jdx#9830](jdx#9830) ### ⚡ Performance - **(aqua)** use phf for baked registry lookups by @risu729 in [jdx#9763](jdx#9763) - **(task)** cache per-file content hashes for source_freshness_hash_contents by @jdx in [jdx#9819](jdx#9819) ### 🧪 Testing - **(e2e)** pin aube to known-good version in npm package_manager test by @jdx in [jdx#9794](jdx#9794) ### 📦 Registry - replace unsupported exe options by @risu729 in [jdx#9587](jdx#9587) - update pi by @garysassano in [jdx#9792](jdx#9792) ### Chore - **(ci)** use non-large runners for release builds by @jdx in [jdx#9786](jdx#9786) - **(ci)** compare registry PRs from fork point by @risu729 in [jdx#9643](jdx#9643) - **(ci)** make build-copr.sh the single source of truth for COPR chroots by @jdx in [jdx#9788](jdx#9788) - **(ci)** use crates.io trusted publishing in release-plz by @jdx in [jdx#9793](jdx#9793) - **(ci)** remove autofix.ci workflow by @jdx in [jdx#9801](jdx#9801) - **(ci)** restore -large runner for Linux release builds by @jdx in [jdx#9815](jdx#9815) - **(ci)** add zizmor workflow for github actions security analysis by @jdx in [jdx#9804](jdx#9804) - **(ci)** assert mise run render produces no diff by @jdx in [jdx#9803](jdx#9803) - **(copr)** publish EL9 builds via centos-stream+epel-next-9 chroot by @jdx in [jdx#9787](jdx#9787) ### Ci - remove pull_request_target workflow by @jdx in [jdx#9799](jdx#9799) - remove caching from publishing workflows by @jdx in [jdx#9800](jdx#9800) ### Security - reject shell metacharacters in version strings and CI inputs by @jdx in [jdx#9814](jdx#9814) ## 📦 Aqua Registry Updates ### New Packages (11) - [`Code-Hex/Neo-cowsay`](https://github.com/Code-Hex/Neo-cowsay) - [`SonarSource/sonarqube-cli`](https://github.com/SonarSource/sonarqube-cli) - [`earendil-works/pi`](https://github.com/earendil-works/pi) - [`hylo-lang/hylo-new`](https://github.com/hylo-lang/hylo-new) - [`jfernandez/bpftop`](https://github.com/jfernandez/bpftop) - [`modem-dev/hunk`](https://github.com/modem-dev/hunk) - [`npm/cli`](https://github.com/npm/cli) - [`racket/racket/minimal`](https://github.com/racket/racket) - [`slackapi/slack-cli`](https://github.com/slackapi/slack-cli) - [`vectordotdev/vector`](https://github.com/vectordotdev/vector) - [`wasilibs/go-yamllint`](https://github.com/wasilibs/go-yamllint) ### Updated Packages (10) - [`DataDog/pup`](https://github.com/DataDog/pup) - [`aquasecurity/trivy`](https://github.com/aquasecurity/trivy) - [`astral-sh/uv`](https://github.com/astral-sh/uv) - [`caarlos0/svu`](https://github.com/caarlos0/svu) - [`cargo-bins/cargo-binstall`](https://github.com/cargo-bins/cargo-binstall) - [`foundry-rs/foundry`](https://github.com/foundry-rs/foundry) - [`gastownhall/beads`](https://github.com/gastownhall/beads) - [`gruntwork-io/terragrunt`](https://github.com/gruntwork-io/terragrunt) - [`pnpm/pnpm`](https://github.com/pnpm/pnpm) - [`santosr2/TerraTidy`](https://github.com/santosr2/TerraTidy)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CARGO_REGISTRY_TOKENsecret to an OIDC-minted, 30-minute token viarust-lang/crates-io-auth-action.id-token: writepermission and wires the action'stokenoutput intocargo publish(called fromxtasks/release-plz).Required crates.io setup (before this merges)
For each crate published from this repo —
mise,vfox,aqua-registry,mise-interactive-config— go to crates.io → crate Settings → Trusted Publishing → Add → GitHub, and fill in:jdxmiserelease-plz.ymlBoth auth methods work simultaneously, so
secrets.CARGO_REGISTRY_TOKENcan stay configured during rollout and be deleted after the first successful release on the new flow.Test plan
miseon crates.io before mergevfox,aqua-registry,mise-interactive-configcrates-io-authstep mints a token andcargo publishsucceeds for each crateCARGO_REGISTRY_TOKENrepo secret🤖 Generated with Claude Code
Note
Medium Risk
Changes the release workflow’s crates.io authentication mechanism, which could break automated publishing if OIDC/trusted publishing isn’t configured correctly. Permissions are adjusted to allow OIDC (
id-token: write), increasing the blast radius of misconfiguration.Overview
Switches the
release-plzworkflow from usingsecrets.CARGO_REGISTRY_TOKENtorust-lang/crates-io-auth-actionand wires its minted token intoCARGO_REGISTRY_TOKENfor the release step.Moves workflow permissions to the job level and adds
id-token: writeto enable OIDC-based authentication during publishing.Reviewed by Cursor Bugbot for commit ab3726b. Bugbot is set up for automated code reviews on this repo. Configure here.