Add email template for Trusted Publishing token exposure notifications

Turbo87 · Turbo87 · commit 6715f679328f · 2025-06-24T15:40:05.000+02:00
This commit implements a `TrustedPublishingTokenExposedEmail` template that will be used to notify users when their trusted publishing tokens are revoked due to GitHub secret scanning alerts. The template handles both single and multiple crate scenarios and provides security guidance.
diff --git a/src/controllers/github/secret_scanning.rs b/src/controllers/github/secret_scanning.rs
@@ -145,7 +145,7 @@ async fn alert_revoke_token(
             .await?;
 
         if deleted_count > 0 {
-            warn!("Active Trusted Publishing token received and revoked (true positive)");
+        warn!("Active Trusted Publishing token received and revoked (true positive)");
             return Ok(GitHubSecretAlertFeedbackLabel::TruePositive);
         } else {
             debug!("Unknown Trusted Publishing token received (false positive)");
@@ -264,6 +264,64 @@ Source type: {source}",
     }
 }
 
+struct TrustedPublishingTokenExposedEmail<'a> {
+    domain: &'a str,
+    reporter: &'a str,
+    source: &'a str,
+    crate_names: &'a [String],
+    url: &'a str,
+}
+
+impl Email for TrustedPublishingTokenExposedEmail<'_> {
+    fn subject(&self) -> String {
+        "crates.io: Your Trusted Publishing token has been revoked".to_string()
+    }
+
+    fn body(&self) -> String {
+        let authorization = if self.crate_names.len() == 1 {
+            format!(
+                "This token was only authorized to publish the \"{}\" crate.",
+                self.crate_names[0]
+            )
+        } else {
+            format!(
+                "This token was authorized to publish the following crates: \"{}\".",
+                self.crate_names.join("\", \"")
+            )
+        };
+
+        let mut body = format!(
+            "{reporter} has notified us that one of your crates.io Trusted Publishing tokens \
+has been exposed publicly. We have revoked this token as a precaution.
+
+{authorization}
+
+Please review your account at https://{domain} and your GitHub repository \
+settings to confirm that no unexpected changes have been made to your crates \
+or trusted publishing configurations.
+
+Source type: {source}",
+            domain = self.domain,
+            reporter = self.reporter,
+            source = self.source,
+        );
+
+        if self.url.is_empty() {
+            body.push_str("\n\nWe were not informed of the URL where the token was found.");
+        } else {
+            body.push_str(&format!("\n\nURL where the token was found: {}", self.url));
+        }
+
+        body.push_str(
+            "\n\nTrusted Publishing tokens are temporary and used for automated \
+publishing from GitHub Actions. If this exposure was unexpected, please review \
+your repository's workflow files and secrets.",
+        );
+
+        body
+    }
+}
+
 #[derive(Deserialize, Serialize)]
 pub struct GitHubSecretAlertFeedback {
     pub token_raw: String,
