Skip to content

controllers/github/secret_scanning: Add support for Trusted Publishing tokens #11405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 23, 2025
Merged

controllers/github/secret_scanning: Add support for Trusted Publishing tokens #11405

merged 2 commits into from
Jun 23, 2025
+202 −21

Conversation

Turbo87
Copy link
Member

@Turbo87 Turbo87 commented Jun 22, 2025

This implements the final todo item of the Trusted Publishing backend work (see #10247).

If a passed in token is successfully parsed as a Trusted Publishing token, the token is automatically revoked and a warning is logged.

Since these tokens belong to a crate (or multiple) instead of a user I have not implemented email notifications for them (yet). Should we email all owners of the crate in case a Trusted Publishing token is leaked? I guess we could also implement that in a follow-up PR, if we decide that we want that.

@Turbo87 Turbo87 added C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works A-backend ⚙️ labels Jun 22, 2025
@Turbo87 Turbo87 mentioned this pull request Jun 22, 2025
Open
19 tasks
@Turbo87 Turbo87 force-pushed the trustpub-scanning branch from fa1788b to 53f6695 Compare June 23, 2025 13:04
LawnGnome
LawnGnome approved these changes Jun 23, 2025
View reviewed changes
Copy link
Contributor

@LawnGnome LawnGnome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

For what it's worth, I do think we should figure out a notification strategy here, since it'll probably indicate some sort of CI compromise, but that can be a follow up PR. (E-mailing all the owners feels fine to me as a first step.)

@Turbo87 Turbo87 merged commit 45ccc62 into rust-lang:main Jun 23, 2025
10 checks passed
@Turbo87 Turbo87 deleted the trustpub-scanning branch June 23, 2025 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LawnGnome LawnGnome LawnGnome approved these changes

Assignees
No one assigned
Labels
A-backend ⚙️ C-enhancement ✨ Category: Adding new behavior or a change to the way an existing feature works
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Turbo87 @LawnGnome