rust-lang · marcoieni · Nov 19, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025
@@ -32,7 +32,7 @@ jobs:
 
       - name: Install Rust Stable
         env:
-          RUST_VERSION: "1.85.0"
+          RUST_VERSION: "1.87.0"
         run: |
           rustc -vV
           rustup toolchain install $RUST_VERSION
@@ -103,6 +103,7 @@ jobs:
           EMAIL_ENCRYPTION_KEY: ${{ secrets.EMAIL_ENCRYPTION_KEY }}
           ZULIP_API_TOKEN: ${{ secrets.ZULIP_API_TOKEN }}
           ZULIP_USERNAME: ${{ secrets.ZULIP_USERNAME }}
+          CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
         run: |
           cargo run sync apply --src build
 

diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ The repository is automatically synchronized with:
 | Zulip user group membership                                | *Shortly after merge* | [Integration source][sync-team-src]       |
 | [Governance section on the website][www]                   |     Once per day      | [Integration source][www-src]             |
 | crates.io admin access                                     |        1 hour         | [Integration source][crates-io-admin-src] |
+| crates.io trusted publishing config                        | *Shortly after merge* | [Integration source][sync-team-src]       |
 
 If you need to add or remove a person from a team, send a PR to this
 repository. After it's merged, their account will be added/removed

diff --git a/docs/toml-schema.md b/docs/toml-schema.md
@@ -430,3 +430,16 @@ allowed-merge-teams = ["awesome-team"]
 # (optional)
 merge-bots = ["homu"]
 ```
+
+### Crates.io trusted publishing
+Configure crates.io Trusted Publishing for crates published from a given repository from GitHub Actions.
+
+```toml
+[[crates-io-publishing]]
+# Crates that will be published with the given workflow file from this repository (required)
+crates = ["regex"]
+# Name of a GitHub Actions workflow file that will publish the crate (required)
+workflow-filename = "ci.yml"
+# GitHub Actions environment that has to be used for the publishing (required)
+environment = "deploy"
+```
@@ -174,6 +174,7 @@ pub struct Repo {
     pub teams: Vec<RepoTeam>,
     pub members: Vec<RepoMember>,
     pub branch_protections: Vec<BranchProtection>,
+    pub crates: Vec<Crate>,
     pub archived: bool,
     // This attribute is not synced by sync-team.
     pub private: bool,
@@ -182,6 +183,12 @@ pub struct Repo {
     pub auto_merge_enabled: bool,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct Crate {
+    pub name: String,
+    pub crates_io_publishing: Option<CratesIoPublishing>,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
 #[serde(rename_all = "kebab-case")]
 pub enum Bot {
@@ -244,6 +251,12 @@ pub struct BranchProtection {
     pub merge_bots: Vec<MergeBot>,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct CratesIoPublishing {
+    pub workflow_file: String,
+    pub environment: String,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub struct Person {
     pub name: String,

@@ -9,7 +9,7 @@ mod schema;
 mod static_api;
 mod validate;
 
-const AVAILABLE_SERVICES: &[&str] = &["github", "mailgun", "zulip"];
+const AVAILABLE_SERVICES: &[&str] = &["github", "mailgun", "zulip", "crates-io"];
 
 const USER_AGENT: &str = "https://github.com/rust-lang/team (infra@rust-lang.org)";
 

@@ -807,6 +807,8 @@ pub(crate) struct Repo {
     pub access: RepoAccess,
     #[serde(default)]
     pub branch_protections: Vec<BranchProtection>,
+    #[serde(default)]
+    pub crates_io_publishing: Vec<CratesIoPublishing>,
 }
 
 #[derive(serde_derive::Deserialize, Debug, Clone, PartialEq)]
@@ -865,3 +867,11 @@ pub(crate) struct BranchProtection {
     #[serde(default)]
     pub merge_bots: Vec<MergeBot>,
 }
+
+#[derive(serde_derive::Deserialize, Debug)]
+#[serde(deny_unknown_fields, rename_all = "kebab-case")]
+pub(crate) struct CratesIoPublishing {
+    pub crates: Vec<String>,
+    pub workflow_filename: String,
+    pub environment: String,
+}
@@ -147,6 +147,19 @@ impl<'a> Generator<'a> {
                     members
                 },
                 branch_protections,
+                crates: r
+                    .crates_io_publishing
+                    .iter()
+                    .flat_map(|p| {
+                        p.crates.iter().map(|krate| v1::Crate {
+                            name: krate.to_string(),
+                            crates_io_publishing: Some(v1::CratesIoPublishing {
+                                workflow_file: p.workflow_filename.clone(),
+                                environment: p.environment.clone(),
+                            }),
+                        })
+                    })
+                    .collect(),
                 archived,
                 auto_merge_enabled: !managed_by_bors,
             };

@@ -54,6 +54,7 @@ static CHECKS: &[Check<fn(&Data, &mut Vec<String>)>] = checks![
     validate_repos,
     validate_archived_repos,
     validate_branch_protections,
+    validate_trusted_publishing,
     validate_member_roles,
     validate_admin_access,
     validate_website,
@@ -1000,6 +1001,30 @@ Please remove the attributes when using bors"#,
     })
 }
 
+/// Validate that trusted publishing configuration has unique crates across all repositories.
+fn validate_trusted_publishing(data: &Data, errors: &mut Vec<String>) {
+    let mut crates = HashMap::new();
+    wrapper(data.repos(), errors, |repo, _| {
+        let repo_name = format!("{}/{}", repo.org, repo.name);
+        for publishing in &repo.crates_io_publishing {
+            if publishing.crates.is_empty() {
+                return Err(anyhow::anyhow!(
+                    "Repository `{repo_name}` has trusted publishing for an empty set of crates.",
+                ));
+            }
+
+            for krate in &publishing.crates {
+                if let Some(prev_repo) = crates.insert(krate.clone(), repo_name.clone()) {
+                    return Err(anyhow::anyhow!(
+                        "Repository `{repo_name}` configures trusted publishing for crate `{krate}` that is also configured in `{prev_repo}`. Each crate can only be configured once.",
+                    ));
+                }
+            }
+        }
+        Ok(())
+    })
+}
+
 /// Enforce that roles are only assigned to a valid team member, and that the
 /// same role id always has a consistent description across teams (because the
 /// role id becomes the Fluent id used for translation).

@@ -0,0 +1,172 @@
+use crate::crates_io::CratesIoPublishingConfig;
+use crate::utils::ResponseExt;
+use anyhow::{Context, anyhow};
+use log::debug;
+use reqwest::blocking::Client;
+use reqwest::header;
+use reqwest::header::{HeaderMap, HeaderValue};
+use secrecy::{ExposeSecret, SecretString};
+use serde::Serialize;
+use std::fmt::{Display, Formatter};
+
+// OpenAPI spec: https://crates.io/api/openapi.json
+const CRATES_IO_BASE_URL: &str = "https://crates.io/api/v1";
+
+/// Access to the Zulip API
+#[derive(Clone)]
+pub(crate) struct CratesIoApi {
+    client: Client,
+    token: SecretString,
+    dry_run: bool,
+}
+
+impl CratesIoApi {
+    pub(crate) fn new(token: SecretString, dry_run: bool) -> Self {
+        let mut map = HeaderMap::default();
+        map.insert(
+            header::USER_AGENT,
+            HeaderValue::from_static(crate::USER_AGENT),
+        );
+
+        Self {
+            client: reqwest::blocking::ClientBuilder::default()
+                .default_headers(map)
+                .build()
+                .unwrap(),
+            token,
+            dry_run,
+        }
+    }
+
+    /// List existing trusted publishing configurations for a given crate.
+    pub(crate) fn list_trusted_publishing_github_configs(
+        &self,
+        krate: &str,
+    ) -> anyhow::Result<Vec<TrustedPublishingGitHubConfig>> {
+        #[derive(serde::Deserialize)]
+        struct GetTrustedPublishing {
+            github_configs: Vec<TrustedPublishingGitHubConfig>,
+        }
+
+        let response: GetTrustedPublishing = self
+            .req::<()>(
+                reqwest::Method::GET,
+                &format!("/trusted_publishing/github_configs?crate={krate}"),
+                None,
+            )?
+            .error_for_status()?
+            .json_annotated()?;
+
+        Ok(response.github_configs)
+    }
+
+    /// Create a new trusted publishing configuration for a given crate.
+    pub(crate) fn create_trusted_publishing_github_config(
+        &self,
+        config: &CratesIoPublishingConfig,
+    ) -> anyhow::Result<()> {
+        debug!(
+            "Creating trusted publishing config for '{}' in repo '{}/{}', workflow file '{}' and environment '{}'",
+            config.krate.0,
+            config.repo_org,
+            config.repo_name,
+            config.workflow_file,
+            config.environment
+        );
+
+        if self.dry_run {
+            return Ok(());
+        }
+
+        #[derive(serde::Serialize)]
+        struct TrustedPublishingGitHubConfigCreate<'a> {
+            repository_owner: &'a str,
+            repository_name: &'a str,
+            #[serde(rename = "crate")]
+            krate: &'a str,
+            workflow_filename: &'a str,
+            environment: Option<&'a str>,
+        }
+
+        #[derive(serde::Serialize)]
+        struct CreateTrustedPublishing<'a> {
+            github_config: TrustedPublishingGitHubConfigCreate<'a>,
+        }
+
+        let request = CreateTrustedPublishing {
+            github_config: TrustedPublishingGitHubConfigCreate {
+                repository_owner: &config.repo_org,
+                repository_name: &config.repo_name,
+                krate: &config.krate.0,
+                workflow_filename: &config.workflow_file,
+                environment: Some(&config.environment),
+            },
+        };
+
+        self.req(
+            reqwest::Method::POST,
+            "/trusted_publishing/github_configs",
+            Some(&request),
+        )?
+        .error_for_status()
+        .with_context(|| anyhow!("Cannot created trusted publishing config {config:?}"))?;
+
+        Ok(())
+    }
+
+    /// Delete a trusted publishing configuration with the given ID.
+    pub(crate) fn delete_trusted_publishing_github_config(
+        &self,
+        id: TrustedPublishingId,
+    ) -> anyhow::Result<()> {
+        debug!("Deleting trusted publishing with ID {id}");
+
+        if !self.dry_run {
+            self.req::<()>(
+                reqwest::Method::DELETE,
+                &format!("/trusted_publishing/github_configs/{}", id.0),
+                None,
+            )?
+            .error_for_status()
+            .with_context(|| anyhow!("Cannot delete trusted publishing config with ID {id}"))?;
+        }
+
+        Ok(())
+    }
+
+    /// Perform a request against the crates.io API
+    fn req<T: Serialize>(
+        &self,
+        method: reqwest::Method,
+        path: &str,
+        data: Option<&T>,
+    ) -> anyhow::Result<reqwest::blocking::Response> {
+        let mut req = self
+            .client
+            .request(method, format!("{CRATES_IO_BASE_URL}{path}"))
+            .bearer_auth(self.token.expose_secret());
+        if let Some(data) = data {
+            req = req.json(data);
+        }
+
+        Ok(req.send()?)
+    }
+}
+
+#[derive(serde::Deserialize, Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
+pub struct TrustedPublishingId(u64);
+
+impl Display for TrustedPublishingId {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        self.0.fmt(f)
+    }
+}
+
+#[derive(serde::Deserialize, Debug)]
+pub(crate) struct TrustedPublishingGitHubConfig {
+    pub(crate) id: TrustedPublishingId,
+    pub(crate) repository_owner: String,
+    pub(crate) repository_name: String,
+    pub(crate) workflow_filename: String,
+    pub(crate) environment: Option<String>,
+}