Migrate this workspace to using trusted publishing#12257
Merged
alexcrichton merged 1 commit intobytecodealliance:mainfrom Jan 7, 2026
Merged
Migrate this workspace to using trusted publishing#12257alexcrichton merged 1 commit intobytecodealliance:mainfrom
alexcrichton merged 1 commit intobytecodealliance:mainfrom
Conversation
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
dicej
approved these changes
Jan 7, 2026
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 7, 2026
…12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
that referenced
this pull request
Jan 7, 2026
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 7, 2026
…12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 7, 2026
…12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 7, 2026
…12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 7, 2026
…12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
that referenced
this pull request
Jan 8, 2026
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
that referenced
this pull request
Jan 8, 2026
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
that referenced
this pull request
Jan 8, 2026
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime.
alexcrichton
added a commit
that referenced
this pull request
Jan 9, 2026
* Migrate this workspace to using trusted publishing (#12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime. * Update cargo-vet with trusted publishing support (#12285) This updates the `cargo vet` used in CI to include support for trusted publishing. This is necessary now that the latest version of Wasmtime (40.0.1) is published with trusted publishing. I'm not entirely sure why this is necessary, but it's going to be inevitable in the future anyway as we transition to trusted publishing. The `cargo vet` tool is now installed from git and new wildcard audits for all wasmtime, wasm-tools, and wit-bindgen crates are added for the appropriate trusted-publisher. Maintainers will need to install cargo-vet from git as well, but unfortunately after the publish of 40.0.1 yesterday I don't think we have an option as otherwise CI is broken.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only
wasmtime-publishis the user on all of our crates, but for now this needs to land and get backported before that's done.Changes here are:
publish-to-cratesio.ymlworkflow now usesrust-lang/crates-io-auth-action@v1to get a crates.io-based token. The in-repository secret is no longer used.publish-to-cratesio.ymlworkflow has a new github "Environment" it runs in namedpublishgithub:bytecodealliance:wasmtime-publishuser to crates.wasmtime-publishgithub users is on all crates.External changes are:
publish"Environment" was added to this repository.My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime. Once that's all done and sorted I'll follow-up with more contributor-facing documentation about how to add new crates.