Make it possible to enforce publishing only through trusted publishing for crates

Kobzol · Kobzol · commit fad9c70d4f07 · 2025-12-02T08:55:59.000+01:00
diff --git a/docs/toml-schema.md b/docs/toml-schema.md
@@ -456,6 +456,9 @@ crates = ["regex"]
 workflow-filename = "ci.yml"
 # GitHub Actions environment that has to be used for the publishing (required)
 environment = "deploy"
+# Disable other mechanisms for publishing this set of crates (optional, default is false)
+# If set to `true`, the crates will only be publishable through trusted publishing
+disable-other-publish-methods = false
 ```
 
 > [!TIP]
diff --git a/rust_team_data/src/v1.rs b/rust_team_data/src/v1.rs
@@ -188,6 +188,7 @@ pub struct Repo {
 pub struct Crate {
     pub name: String,
     pub crates_io_publishing: Option<CratesIoPublishing>,
+    pub trusted_publishing_only: bool,
 }
 
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
diff --git a/src/schema.rs b/src/schema.rs
@@ -880,6 +880,8 @@ pub(crate) struct CratesIoPublishing {
     pub crates: Vec<String>,
     pub workflow_filename: String,
     pub environment: String,
+    #[serde(default)]
+    pub disable_other_publish_methods: bool,
 }
 
 #[derive(serde_derive::Deserialize, Debug, Clone)]
diff --git a/src/static_api.rs b/src/static_api.rs
@@ -157,6 +157,7 @@ impl<'a> Generator<'a> {
                                 workflow_file: p.workflow_filename.clone(),
                                 environment: p.environment.clone(),
                             }),
+                            trusted_publishing_only: p.disable_other_publish_methods,
                         })
                     })
                     .collect(),
diff --git a/tests/static-api/_expected/v1/repos.json b/tests/static-api/_expected/v1/repos.json
@@ -71,14 +71,16 @@
           "crates_io_publishing": {
             "workflow_file": "ci.yml",
             "environment": "deploy"
-          }
+          },
+          "trusted_publishing_only": false
         },
         {
           "name": "my-crate-2",
           "crates_io_publishing": {
             "workflow_file": "ci.yml",
             "environment": "deploy"
-          }
+          },
+          "trusted_publishing_only": false
         }
       ],
       "environments": [],
diff --git a/tests/static-api/_expected/v1/repos/some_repo.json b/tests/static-api/_expected/v1/repos/some_repo.json
@@ -39,14 +39,16 @@
       "crates_io_publishing": {
         "workflow_file": "ci.yml",
         "environment": "deploy"
-      }
+      },
+      "trusted_publishing_only": false
     },
     {
       "name": "my-crate-2",
       "crates_io_publishing": {
         "workflow_file": "ci.yml",
         "environment": "deploy"
-      }
+      },
+      "trusted_publishing_only": false
     }
   ],
   "environments": [],

Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,7 @@ pub struct Repo {`
`188`	`188`	`pub struct Crate {`
`189`	`189`	`pub name: String,`
`190`	`190`	`pub crates_io_publishing: Option<CratesIoPublishing>,`
	`191`	`+ pub trusted_publishing_only: bool,`
`191`	`192`	`}`
`192`	`193`
`193`	`194`	`#[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]`
Original file line number	Diff line number	Diff line change
`@@ -880,6 +880,8 @@ pub(crate) struct CratesIoPublishing {`
`880`	`880`	`pub crates: Vec<String>,`
`881`	`881`	`pub workflow_filename: String,`
`882`	`882`	`pub environment: String,`
	`883`	`+ #[serde(default)]`
	`884`	`+ pub disable_other_publish_methods: bool,`
`883`	`885`	`}`
`884`	`886`
`885`	`887`	`#[derive(serde_derive::Deserialize, Debug, Clone)]`