Use trusted publishing for release automation in this repository #2281
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit updates the publish scripts and CI configuration to use the "Trusted Publishing" workflow on crates.io. This enables removal of the long-lived token assigned to this repository in favor of short-lived ephemeral tokens scoped to just the `publish.yml` workflow. Here CI configuration is updated to avoid using the token in the environment. Instead it uses `rust-lang/crates-io-auth-action@v1` to acquire a token during publishing. Documentation is added for how to add a crate to this repository as it now requires that the crate is published on crates.io before it's added to this repository. That ensures that the trusted publishing workflow is in place before a PR is merged. Finally the `publish.rs` script is updated to avoid owner management on version bumps but also check on PRs that the owners are configured correctly.
Member
Author
|
I expect CI to fail temporarily as the wasm-encoder crate doesn't have permissions set up. That'll be resolved shortly, however. After this PR merges I plan on publishing a point release to ensure that this all works. |
alexcrichton
added a commit
to alexcrichton/wit-bindgen
that referenced
this pull request
Aug 13, 2025
Similar to bytecodealliance/wasm-tools#2281 but for this repository. The main benefit is removal of a long-lived token, and the main consequence is that crates will need to be published to crates.io with a placeholder before being merged in here.
pchickey
approved these changes
Aug 13, 2025
github-merge-queue bot
pushed a commit
to bytecodealliance/wit-bindgen
that referenced
this pull request
Aug 13, 2025
* Migrate this workspace to using trusted publishing Similar to bytecodealliance/wasm-tools#2281 but for this repository. The main benefit is removal of a long-lived token, and the main consequence is that crates will need to be published to crates.io with a placeholder before being merged in here. * Prints-to-panics * Add necessary CI configuration keys
Merged
via the queue into
bytecodealliance:main
with commit Aug 14, 2025
68eda96
64 of 66 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit updates the publish scripts and CI configuration to use the "Trusted Publishing" workflow on crates.io. This enables removal of the long-lived token assigned to this repository in favor of short-lived ephemeral tokens scoped to just the
publish.ymlworkflow.Here CI configuration is updated to avoid using the token in the environment. Instead it uses
rust-lang/crates-io-auth-action@v1to acquire a token during publishing. Documentation is added for how to add a crate to this repository as it now requires that the crate is published on crates.io before it's added to this repository. That ensures that the trusted publishing workflow is in place before a PR is merged. Finally thepublish.rsscript is updated to avoid owner management on version bumps but also check on PRs that the owners are configured correctly.