Merge pull request #11513 from Turbo87/trustpub-data

Save and show JWT claims subset when Trusted Publishing is used

Author: Turbo87

app/components/version-list/row.hbs

@@ -45,6 +45,23 @@
             {{or @version.published_by.name @version.published_by.login}}
           </LinkTo>
         </span>
+      {{else if @version.trustpubPublisher}}
+        <span local-class="publisher trustpub">
+          via
+          {{#if @version.trustpubUrl}}
+            <a href={{@version.trustpubUrl}} target="_blank" rel="nofollow noopener noreferrer">
+              {{#if (eq @version.trustpub_data.provider "github")}}
+                {{svg-jar "github"}}
+              {{/if}}
+              {{@version.trustpubPublisher}}
+            </a>
+          {{else}}
+            {{#if (eq @version.trustpub_data.provider "github")}}
+              {{svg-jar "github"}}
+            {{/if}}
+            {{@version.trustpubPublisher}}
+          {{/if}}
+        </span>
       {{/if}}
 
       <time

app/models/version.js

@@ -43,6 +43,30 @@ export default class Version extends Model {
   /** @type {string[] | null} */
   @attr bin_names;
 
+  /**
+   * Information about the trusted publisher that published this version, if any.
+   * @type {Object | null}
+   */
+  @attr trustpub_data;
+
+  /**
+   * The name of the trusted publisher that published this version, if any.
+   * @type {string | null}
+   */
+  get trustpubPublisher() {
+    return this.trustpub_data?.provider === 'github' ? 'GitHub' : null;
+  }
+
+  /**
+   * The URL to the trusted publisher that published this version, if any.
+   * @type {string | null}
+   */
+  get trustpubUrl() {
+    return this.trustpub_data?.provider === 'github'
+      ? `https://github.com/${this.trustpub_data.repository}/actions/runs/${this.trustpub_data.run_id}`
+      : null;
+  }
+
   @belongsTo('crate', { async: false, inverse: 'versions' }) crate;
 
   @belongsTo('user', { async: false, inverse: null }) published_by;

crates/crates_io_database/Cargo.toml

@@ -31,5 +31,5 @@ utoipa = { version = "=5.4.0", features = ["chrono"] }
 claims = "=0.8.0"
 crates_io_test_db = { path = "../crates_io_test_db" }
 googletest = "=0.14.2"
-insta = "=1.43.1"
+insta = { version = "=1.43.1", features = ["json"] }
 tokio = { version = "=1.46.1", features = ["macros", "rt"] }

crates/crates_io_database/src/models/mod.rs

@@ -14,6 +14,7 @@ pub use self::krate::{Crate, CrateName, NewCrate, RecentCrateDownloads};
 pub use self::owner::{CrateOwner, Owner, OwnerKind};
 pub use self::team::{NewTeam, Team};
 pub use self::token::ApiToken;
+pub use self::trustpub::TrustpubData;
 pub use self::user::{NewUser, User};
 pub use self::version::{NewVersion, TopVersions, Version};
 

crates/crates_io_database/src/models/trustpub/data.rs

@@ -0,0 +1,60 @@
+use diesel::deserialize::{self, FromSql};
+use diesel::pg::{Pg, PgValue};
+use diesel::serialize::{self, Output, ToSql};
+use diesel::sql_types::Jsonb;
+use diesel::{AsExpression, FromSqlRow};
+use serde::{Deserialize, Serialize};
+
+/// Data structure containing trusted publisher information extracted from JWT claims
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, FromSqlRow, AsExpression)]
+#[diesel(sql_type = Jsonb)]
+#[serde(tag = "provider")]
+pub enum TrustpubData {
+    #[serde(rename = "github")]
+    GitHub {
+        /// Repository (e.g. "octo-org/octo-repo")
+        repository: String,
+        /// Workflow run ID
+        run_id: String,
+        /// SHA of the commit
+        sha: String,
+    },
+}
+
+impl ToSql<Jsonb, Pg> for TrustpubData {
+    fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, Pg>) -> serialize::Result {
+        let json = serde_json::to_value(self)?;
+        <serde_json::Value as ToSql<Jsonb, Pg>>::to_sql(&json, &mut out.reborrow())
+    }
+}
+
+impl FromSql<Jsonb, Pg> for TrustpubData {
+    fn from_sql(bytes: PgValue<'_>) -> deserialize::Result<Self> {
+        let json = <serde_json::Value as FromSql<Jsonb, Pg>>::from_sql(bytes)?;
+        Ok(serde_json::from_value(json)?)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use insta::assert_json_snapshot;
+
+    #[test]
+    fn test_serialization() {
+        let data = TrustpubData::GitHub {
+            repository: "octo-org/octo-repo".to_string(),
+            run_id: "example-run-id".to_string(),
+            sha: "example-sha".to_string(),
+        };
+
+        assert_json_snapshot!(data, @r#"
+        {
+          "provider": "github",
+          "repository": "octo-org/octo-repo",
+          "run_id": "example-run-id",
+          "sha": "example-sha"
+        }
+        "#);
+    }
+}

crates/crates_io_database/src/models/trustpub/mod.rs

@@ -1,7 +1,9 @@
+mod data;
 mod github_config;
 mod token;
 mod used_jti;
 
+pub use self::data::TrustpubData;
 pub use self::github_config::{GitHubConfig, NewGitHubConfig};
 pub use self::token::NewToken;
 pub use self::used_jti::NewUsedJti;

crates/crates_io_database/src/models/trustpub/token.rs

@@ -1,3 +1,4 @@
+use crate::models::TrustpubData;
 use crate::schema::trustpub_tokens;
 use chrono::{DateTime, Utc};
 use diesel::prelude::*;
@@ -9,6 +10,7 @@ pub struct NewToken<'a> {
     pub expires_at: DateTime<Utc>,
     pub hashed_token: &'a [u8],
     pub crate_ids: &'a [i32],
+    pub trustpub_data: Option<&'a TrustpubData>,
 }
 
 impl NewToken<'_> {

crates/crates_io_database/src/models/version.rs

@@ -7,7 +7,7 @@ use diesel::prelude::*;
 use diesel_async::{AsyncPgConnection, RunQueryDsl};
 use serde::Deserialize;
 
-use crate::models::{Crate, User};
+use crate::models::{Crate, TrustpubData, User};
 use crate::schema::{readme_renderings, users, versions};
 
 // Queryable has a custom implementation below
@@ -36,6 +36,7 @@ pub struct Version {
     pub homepage: Option<String>,
     pub documentation: Option<String>,
     pub repository: Option<String>,
+    pub trustpub_data: Option<TrustpubData>,
 }
 
 impl Version {
@@ -103,6 +104,7 @@ pub struct NewVersion<'a> {
     repository: Option<&'a str>,
     categories: Option<&'a [&'a str]>,
     keywords: Option<&'a [&'a str]>,
+    trustpub_data: Option<&'a TrustpubData>,
 }
 
 impl NewVersion<'_> {

crates/crates_io_database/src/schema.rs

@@ -800,6 +800,8 @@ diesel::table! {
         hashed_token -> Bytea,
         /// Unique identifiers of the crates that can be published using this token
         crate_ids -> Array<Nullable<Int4>>,
+        /// JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)
+        trustpub_data -> Nullable<Jsonb>,
     }
 }
 
@@ -1077,6 +1079,8 @@ diesel::table! {
         keywords -> Array<Nullable<Text>>,
         /// JSONB representation of the version number for sorting purposes.
         semver_ord -> Nullable<Jsonb>,
+        /// JSONB data containing JWT claims from the trusted publisher (e.g., GitHub Actions context like repository, run_id, sha)
+        trustpub_data -> Nullable<Jsonb>,
     }
 }
 

crates/crates_io_database_dump/src/dump-db.toml

@@ -206,6 +206,7 @@ created_at = "private"
 expires_at = "private"
 hashed_token = "private"
 crate_ids = "private"
+trustpub_data = "private"
 
 [trustpub_used_jtis.columns]
 id = "private"
@@ -280,6 +281,8 @@ documentation = "public"
 repository = "public"
 categories = "public"
 keywords = "public"
+# The following column is private for now, until we can guarantee a stable data schema.
+trustpub_data = "private"
 
 [versions_published_by.columns]
 version_id = "private"