Implement synchronization of trusted publishing in crates.io

Author: Kobzol

README.md

@@ -16,6 +16,7 @@ The repository is automatically synchronized with:
 | Zulip user group membership                                | *Shortly after merge* | [Integration source][sync-team-src]       |
 | [Governance section on the website][www]                   |     Once per day      | [Integration source][www-src]             |
 | crates.io admin access                                     |        1 hour         | [Integration source][crates-io-admin-src] |
+| crates.io trusted publishing config                        | *Shortly after merge* | [Integration source][sync-team-src]       |
 
 If you need to add or remove a person from a team, send a PR to this
 repository. After it's merged, their account will be added/removed

docs/toml-schema.md

@@ -435,11 +435,11 @@ merge-bots = ["homu"]
 Configure crates.io Trusted Publishing for crates published from a given repository from GitHub Actions.
 
 ```toml
-[[trusted-publishing]]
-# Name of the crate that will be published from this repository (required)
-crate = "regex"
+[[crates-io-publishing]]
+# Crates that will be published with the given workflow file from this repository (required)
+crates = ["regex"]
 # Name of a GitHub Actions workflow file that will publish the crate (required)
 workflow-filename = "ci.yml"
-# GitHub Actions environment that has to be used for the publishing (optional)
+# GitHub Actions environment that has to be used for the publishing (required)
 environment = "deploy"
 ```

rust_team_data/src/v1.rs

@@ -174,7 +174,7 @@ pub struct Repo {
     pub teams: Vec<RepoTeam>,
     pub members: Vec<RepoMember>,
     pub branch_protections: Vec<BranchProtection>,
-    pub trusted_publishing: Vec<TrustedPublishing>,
+    pub crates: Vec<Crate>,
     pub archived: bool,
     // This attribute is not synced by sync-team.
     pub private: bool,
@@ -183,6 +183,12 @@ pub struct Repo {
     pub auto_merge_enabled: bool,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Crate {
+    pub name: String,
+    pub crates_io_publishing: Option<CratesIoPublishing>,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
 #[serde(rename_all = "kebab-case")]
 pub enum Bot {
@@ -246,11 +252,9 @@ pub struct BranchProtection {
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
-pub struct TrustedPublishing {
-    #[serde(rename = "crate")]
-    pub krate: String,
+pub struct CratesIoPublishing {
     pub workflow_file: String,
-    pub environment: Option<String>,
+    pub environment: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]

src/main.rs

@@ -9,7 +9,7 @@ mod schema;
 mod static_api;
 mod validate;
 
-const AVAILABLE_SERVICES: &[&str] = &["github", "mailgun", "zulip"];
+const AVAILABLE_SERVICES: &[&str] = &["github", "mailgun", "zulip", "crates-io"];
 
 const USER_AGENT: &str = "https://github.com/rust-lang/team (infra@rust-lang.org)";
 

src/schema.rs

@@ -808,7 +808,7 @@ pub(crate) struct Repo {
     #[serde(default)]
     pub branch_protections: Vec<BranchProtection>,
     #[serde(default)]
-    pub trusted_publishing: Vec<TrustedPublishing>,
+    pub crates_io_publishing: Vec<CratesIoPublishing>,
 }
 
 #[derive(serde_derive::Deserialize, Debug, Clone, PartialEq)]
@@ -870,10 +870,8 @@ pub(crate) struct BranchProtection {
 
 #[derive(serde_derive::Deserialize, Debug)]
 #[serde(deny_unknown_fields, rename_all = "kebab-case")]
-pub(crate) struct TrustedPublishing {
-    #[serde(rename = "crate")]
-    pub krate: String,
+pub(crate) struct CratesIoPublishing {
+    pub crates: Vec<String>,
     pub workflow_filename: String,
-    #[serde(default)]
-    pub environment: Option<String>,
+    pub environment: String,
 }

src/static_api.rs

@@ -147,13 +147,17 @@ impl<'a> Generator<'a> {
                     members
                 },
                 branch_protections,
-                trusted_publishing: r
-                    .trusted_publishing
+                crates: r
+                    .crates_io_publishing
                     .iter()
-                    .map(|p| v1::TrustedPublishing {
-                        krate: p.krate.clone(),
-                        workflow_file: p.workflow_filename.clone(),
-                        environment: p.environment.clone(),
+                    .flat_map(|p| {
+                        p.crates.iter().map(|krate| v1::Crate {
+                            name: krate.to_string(),
+                            crates_io_publishing: Some(v1::CratesIoPublishing {
+                                workflow_file: p.workflow_filename.clone(),
+                                environment: p.environment.clone(),
+                            }),
+                        })
                     })
                     .collect(),
                 archived,

src/validate.rs

@@ -1006,13 +1006,20 @@ fn validate_trusted_publishing(data: &Data, errors: &mut Vec<String>) {
     let mut crates = HashMap::new();
     wrapper(data.repos(), errors, |repo, _| {
         let repo_name = format!("{}/{}", repo.org, repo.name);
-        for publishing in &repo.trusted_publishing {
-            if let Some(prev_crate) = crates.insert(&publishing.krate, repo_name.clone()) {
+        for publishing in &repo.crates_io_publishing {
+            if publishing.crates.is_empty() {
                 return Err(anyhow::anyhow!(
-                    "Repository `{repo_name}` configures trusted publishing for crate `{}` that is also configured in `{prev_crate}`. Each crate can only be configured once.",
-                    publishing.krate
+                    "Repository `{repo_name}` has trusted publishing for an empty set of crates.",
                 ));
             }
+
+            for krate in &publishing.crates {
+                if let Some(prev_repo) = crates.insert(krate.clone(), repo_name.clone()) {
+                    return Err(anyhow::anyhow!(
+                        "Repository `{repo_name}` configures trusted publishing for crate `{krate}` that is also configured in `{prev_repo}`. Each crate can only be configured once.",
+                    ));
+                }
+            }
         }
         Ok(())
     })

sync-team/src/crates_io/api.rs

@@ -0,0 +1,172 @@
+use crate::crates_io::CratesIoPublishingConfig;
+use crate::utils::ResponseExt;
+use anyhow::{Context, anyhow};
+use log::debug;
+use reqwest::blocking::Client;
+use reqwest::header;
+use reqwest::header::{HeaderMap, HeaderValue};
+use secrecy::{ExposeSecret, SecretString};
+use serde::Serialize;
+use std::fmt::{Display, Formatter};
+
+// OpenAPI spec: https://crates.io/api/openapi.json
+const CRATES_IO_BASE_URL: &str = "https://crates.io/api/v1";
+
+/// Access to the Zulip API
+#[derive(Clone)]
+pub(crate) struct CratesIoApi {
+    client: Client,
+    token: SecretString,
+    dry_run: bool,
+}
+
+impl CratesIoApi {
+    pub(crate) fn new(token: SecretString, dry_run: bool) -> Self {
+        let mut map = HeaderMap::default();
+        map.insert(
+            header::USER_AGENT,
+            HeaderValue::from_static(crate::USER_AGENT),
+        );
+
+        Self {
+            client: reqwest::blocking::ClientBuilder::default()
+                .default_headers(map)
+                .build()
+                .unwrap(),
+            token,
+            dry_run,
+        }
+    }
+
+    /// List existing trusted publishing configurations for a given crate.
+    pub(crate) fn list_trusted_publishing_github_configs(
+        &self,
+        krate: &str,
+    ) -> anyhow::Result<Vec<TrustedPublishingGitHubConfig>> {
+        #[derive(serde::Deserialize)]
+        struct GetTrustedPublishing {
+            github_configs: Vec<TrustedPublishingGitHubConfig>,
+        }
+
+        let response: GetTrustedPublishing = self
+            .req::<()>(
+                reqwest::Method::GET,
+                &format!("/trusted_publishing/github_configs?crate={krate}"),
+                None,
+            )?
+            .error_for_status()?
+            .json_annotated()?;
+
+        Ok(response.github_configs)
+    }
+
+    /// Create a new trusted publishing configuration for a given crate.
+    pub(crate) fn create_trusted_publishing_github_config(
+        &self,
+        config: &CratesIoPublishingConfig,
+    ) -> anyhow::Result<()> {
+        debug!(
+            "Creating trusted publishing config for '{}' in repo '{}/{}', workflow file '{}' and environment '{}'",
+            config.krate.0,
+            config.repo_org,
+            config.repo_name,
+            config.workflow_file,
+            config.environment
+        );
+
+        if self.dry_run {
+            return Ok(());
+        }
+
+        #[derive(serde::Serialize)]
+        struct TrustedPublishingGitHubConfigCreate<'a> {
+            repository_owner: &'a str,
+            repository_name: &'a str,
+            #[serde(rename = "crate")]
+            krate: &'a str,
+            workflow_filename: &'a str,
+            environment: Option<&'a str>,
+        }
+
+        #[derive(serde::Serialize)]
+        struct CreateTrustedPublishing<'a> {
+            github_config: TrustedPublishingGitHubConfigCreate<'a>,
+        }
+
+        let request = CreateTrustedPublishing {
+            github_config: TrustedPublishingGitHubConfigCreate {
+                repository_owner: &config.repo_org,
+                repository_name: &config.repo_name,
+                krate: &config.krate.0,
+                workflow_filename: &config.workflow_file,
+                environment: Some(&config.environment),
+            },
+        };
+
+        self.req(
+            reqwest::Method::POST,
+            "/trusted_publishing/github_configs",
+            Some(&request),
+        )?
+        .error_for_status()
+        .with_context(|| anyhow!("Cannot created trusted publishing config {config:?}"))?;
+
+        Ok(())
+    }
+
+    /// Delete a trusted publishing configuration with the given ID.
+    pub(crate) fn delete_trusted_publishing_github_config(
+        &self,
+        id: TrustedPublishingId,
+    ) -> anyhow::Result<()> {
+        debug!("Deleting trusted publishing with ID {id}");
+
+        if !self.dry_run {
+            self.req::<()>(
+                reqwest::Method::DELETE,
+                &format!("/trusted_publishing/github_configs/{}", id.0),
+                None,
+            )?
+            .error_for_status()
+            .with_context(|| anyhow!("Cannot delete trusted publishing config with ID {id}"))?;
+        }
+
+        Ok(())
+    }
+
+    /// Perform a request against the crates.io API
+    fn req<T: Serialize>(
+        &self,
+        method: reqwest::Method,
+        path: &str,
+        data: Option<&T>,
+    ) -> anyhow::Result<reqwest::blocking::Response> {
+        let mut req = self
+            .client
+            .request(method, format!("{CRATES_IO_BASE_URL}{path}"))
+            .bearer_auth(self.token.expose_secret());
+        if let Some(data) = data {
+            req = req.json(data);
+        }
+
+        Ok(req.send()?)
+    }
+}
+
+#[derive(serde::Deserialize, Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
+pub struct TrustedPublishingId(u64);
+
+impl Display for TrustedPublishingId {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        self.0.fmt(f)
+    }
+}
+
+#[derive(serde::Deserialize, Debug)]
+pub(crate) struct TrustedPublishingGitHubConfig {
+    pub(crate) id: TrustedPublishingId,
+    pub(crate) repository_owner: String,
+    pub(crate) repository_name: String,
+    pub(crate) workflow_filename: String,
+    pub(crate) environment: Option<String>,
+}