Skip to content

Trusted Publishing Enforcement #12361

New issue
New issue
Open
Open
Trusted Publishing Enforcement#12361
Labels
C-enhancement ✨Category: Adding new behavior or a change to the way an existing feature works
@Turbo87

Description

@Turbo87
Turbo87
opened on Nov 19, 2025

Goal

Allow crate owners to restrict their crate to only accept publications via Trusted Publishing, preventing publishes using API tokens. This protects against leaked developer credentials.

Key Design Decisions

Visibility: Public - The trustpub_only flag is visible to all users via GET /api/v1/crates/{name} for supply chain transparency.

Authorization: Any crate owner can toggle the flag using cookie auth or API token auth (non-legacy tokens with trustpub scope and matching crate scopes).

Validation: No validation when enabling - owners can enable the flag even without trusted publishers configured. The UI will show a warning in this case.

Default: FALSE for all crates - explicit opt-in required.

API Changes

GET /api/v1/crates/{name} (modified)

  • Add field: trustpub_only: bool

PATCH /api/v1/crates/{name} (new)

  • Request: { "trustpub_only": true/false }
  • Auth: Crate owner only
  • Response: 200 OK with updated crate data, or 403 if not owner
  • Side effects: Email notification to all owners, audit log entry

PUT /api/v1/crates/new (modified)

  • Reject with 403 if trustpub_only: true and publish uses API token
  • Error: "You tried to publish with an API token but this crate requires trusted publishing."

UI Changes

Crate settings page

  • Always show checkbox for trustpub_only flag
  • If checked AND no trusted publisher configured: Show warning alert
  • Checkbox triggers PATCH /api/v1/crates/{name}

Implementation Plan

Backend

  1. Database migration: Add trustpub_only BOOLEAN NOT NULL DEFAULT FALSE column
  2. Update Crate model struct in crates/crates_io_database/src/models/krate.rs
  3. Add trustpub_only field to EncodableCrate in crates/crates_io_api_types/src/lib.rs
  4. Update publish endpoint to check trustpub_only flag and reject token-based publishes (with tests)
  5. Implement PATCH /api/v1/crates/{name} endpoint with authorization check (crate owner + appropriate token scopes), email notifications, audit logging, and OpenAPI schema updates (with tests)

Frontend

  1. Set up Ember Data to allow PATCH /api/v1/crates/{name} operations (with tests)
  2. Add checkbox to crate settings page (with tests)
  3. Add warning alert when checkbox is checked but no trusted publisher configured (with tests)

Security Considerations

  • Email notification to all crate owners when flag is toggled
  • Audit logging of all flag changes (user, IP, timestamp)
  • Authorization requires crate ownership
  • Token-based changes require non-legacy tokens with appropriate scopes

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-enhancement ✨Category: Adding new behavior or a change to the way an existing feature works

    Type

    No type

    Projects

    crates.io team meetings

    Status

    For next meeting

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions