Migrate this workspace to using trusted publishing (#12257) (#12280)

alexcrichton · web-flow · commit 8c97ae8809a2 · 2026-01-08T01:51:06.000+01:00
This commit updates CI config and such to ensure that we're compatible
with crates.io-based trusted publishing. Eventually we'll want the
restriction that only `wasmtime-publish` is the user on all of our
crates, but for now this needs to land and get backported before that's
done.

Changes here are:

* The `publish-to-cratesio.yml` workflow now uses
  `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token.
  The in-repository secret is no longer used.
* The `publish-to-cratesio.yml` workflow has a new github "Environment"
  it runs in named `publish`
* The publish script no longer adds the
  `github:bytecodealliance:wasmtime-publish` user to crates.
* The publish script now verifies that the `wasmtime-publish` github
  users is on all crates.
* Eventually the publish script will verify that it's the only user on
  all the crates, but that's left for a future PR.

External changes are:

* A new `publish` "Environment" was added to this repository.
* All crates are configured on crates.io to have a trusted publishing
  workflow for this repository.
* All crates now require being published through a trusted publishing
  workflow.

My plan is to backport this to the 40.0.0 branch, run a point release,
fix anything that comes up, and then backport this to all supported
branches of Wasmtime.
diff --git a/.github/workflows/publish-to-cratesio.yml b/.github/workflows/publish-to-cratesio.yml
@@ -9,26 +9,32 @@ on:
     tags:
     - 'v*'
 
+permissions:
+  id-token: write
+
 jobs:
   publish:
     if: github.repository == 'bytecodealliance/wasmtime'
     runs-on: ubuntu-latest
+    environment: publish
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: true
     - run: rustup update stable && rustup default stable
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
     - run: |
         rustc scripts/publish.rs
         ./publish publish
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
-    
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+
     # Manifest and publish the wasi-preview1-component-adapter-provider
     - uses: ./.github/actions/fetch-run-id
     - uses: ./.github/actions/build-adapter-provider
       with:
         run-id: ${{ env.COMMIT_RUN_ID }}
     - run: cargo publish -p wasi-preview1-component-adapter-provider --allow-dirty
       env:
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
diff --git a/scripts/publish.rs b/scripts/publish.rs
@@ -471,34 +471,6 @@ fn publish(krate: &Crate) -> bool {
         return false;
     }
 
-    // After we've published then make sure that the `wasmtime-publish` group is
-    // added to this crate for future publications. If it's already present
-    // though we can skip the `cargo owner` modification.
-    let Some(output) = curl(&format!(
-        "https://crates.io/api/v1/crates/{}/owners",
-        krate.name
-    )) else {
-        return false;
-    };
-    if output.contains("wasmtime-publish") {
-        println!(
-            "wasmtime-publish already listed as an owner of {}",
-            krate.name
-        );
-        return true;
-    }
-
-    // Note that the status is ignored here. This fails most of the time because
-    // the owner is already set and present, so we only want to add this to
-    // crates which haven't previously been published.
-    run_cmd(
-        Command::new("cargo")
-            .arg("owner")
-            .arg("-a")
-            .arg("github:bytecodealliance:wasmtime-publish")
-            .arg(&krate.name),
-    );
-
     true
 }
 
@@ -613,26 +585,42 @@ fn verify(crates: &[Crate]) {
     fn verify_crates_io(krate: &Crate) {
         let name = &krate.name;
         let Some(owners) = curl(&format!("https://crates.io/api/v1/crates/{name}/owners")) else {
-            panic!("failed to get owners for {name}", name = name);
+            panic!(
+                "
+failed to get owners for {name}
+
+If this crate does not exist on crates.io yet please ping wasmtime maintainers
+to add the crate on crates.io as a small shim. When doing so please remind them
+that the trusted publishing workflow must be configured as well.
+",
+                name = name,
+            );
         };
 
-        let assert_owner = |owner: &str| {
-            let owner_json = format!("\"{owner}\"");
-            if !owners.contains(&owner_json) {
-                panic!(
-                    "
-crate {name} is not owned by {owner}, please run:
+        // This is the id of the `wasmtime-publish` user on crates.io
+        if !owners.contains("\"id\":73222,") {
+            panic!(
+                "
+crate {name} is not owned by wasmtime-publish, please run:
 
-    cargo owner -a {owner} {name}
+    cargo owner -a wasmtime-publish {name}
 ",
-                    name = name
-                );
-            }
-        };
+                name = name,
+            );
+        }
+
+        // TODO: waiting for trusted publishing to be proven to work before
+        // activating this.
+        if false && owners.split("\"id\"").count() != 2 {
+            panic!(
+                "
+crate {name} is not exclusively owned by wasmtime-publish
 
-        // the wasmtime-publish github user
-        assert_owner("wasmtime-publish");
-        // the BA team which can publish crates
-        assert_owner("github:bytecodealliance:wasmtime-publish");
+Please contact wasmtime maintainers to ensure that `wasmtime-publish` is the
+only listed owner of the crate.
+",
+                name = name,
+            );
+        }
     }
 }
