Publish all rust-lang crates published on crates.io with trusted publishing

[marcoieni]

trusted publishing is now available on crates.io and allows to publish crates without the need to have a token stored in CI. This is the most secure way to publish a crate from GitHub Actions.

In #117 we changed most of the rust-lang crates to be published from CI using crates.io tokens.
We want to edit the crates CI to use trusted publishing instead of tokens.
The goal should be that we delete all tokens in the rust-lang-owner crates.io account.

Trusted publishing can be configured via the team repo. See rust-lang/team#2090 for example.

Incomplete list of rust-lang crates:

• backtrace-rs
• libc
• libm
• cmake-rs
• rustc-hash
• rustc-demangle
• compiler-builtins
• jobserver-rs
• cargo
• rustwide
• cc-rs Add trusted publishing to cc-rs team#2118
• annotate-snippets Add trusted publishing for the annotate-snippets crate team#2090
• measureme Add trusted publishing for the measureme crates team#2091
• thorin Add trusted publishing to thorin team#2096
• mdbook Add trusted publishing to mdbook team#2114

[ehuss]

FYI, I updated the spreadsheet we use for trying to update crate ownership policies here: https://docs.google.com/spreadsheets/d/1IXWoByncvN5pyaqq7Ro23_F3F3ec_RQ9l-hfwz2plkI/edit?usp=sharing

I added a column for whether or not it uses trusted publishing.
It's going to be a ton of work to get through all of these, though. 😦 I'm not sure if anyone would want to help?

[Kobzol]

I think that we should first automate trusted-publishing via team, to avoid having to involve an infra-admin or going to crates.io to set it up. I have a WIP branch for that, I'll take a look at it soon.

[ehuss]

Yea, that would be great!

Some of the things I was looking for help on is roughly:

• Filling out fields (like which team is responsible for each crate)
• Determining what the actual status of these crates are.
• Figure out what to do with mostly dead crates.
• Did my sweep catch anything that isn't really rust-lang?
• Did my sweep miss anything?
• Determining if all tokens have been revoked.
  • Do you expect when we add trusted publishing to team that it will auto-revoke all tokens? I assume it does nothing with owners?
• Figuring out how to migrate everything to be owned by rust-lang-owner.
• Is there some way we can monitor if someone publishes a new crate to crates.io that is housed in the rust-lang github org, but not owned by rust-lang-owner?
• (Unrelated to this issue, but helping with cajoling teams to fill out the policy for Tracking issue for RFC 3119: Rust-lang crate ownership policy rust#88867. That's a mountain of work. 😦 )

[Kobzol]

Implemented the sync: rust-lang/team#2078. As a follow-up, I can also implement support for essentially removing everyone's access to crates.io crates that we have "registered" in the team DB, and only keep rust-lang-owner.

[NobodyXu]

cc-rs also has been using trusted publishing with release-plz

Regarding removal of access, I wonder how would we yank a release?

It's rare but occa we may need it, do we just shout out at zulip?

[Mark-Simulacrum]

I think the right thing would be for us to add yank permissions to an owner token and allow yanking to teams via triagebot or similar. In the meantime, I think we probably do need to leave access to teams/individuals beyond owner for that purpose :(

[marcoieni]

In the meantime, I think we probably do need to leave access to teams/individuals beyond owner for that purpose :(

Yes, exactly, that's why I created #203 as a separate issue, I wrote my idea on how to yank crates there. I agree it should be done in automated way, e.g. via GitHub Actions, triagebot or similar.

Although I'm not sure it's a good idea to add crates.io permissions to triagebot specifically.