switch to token auth#28
Merged
Merged
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The comments around the publish step still describe using OIDC and 'OR' options, which is now misleading; update the comments to reflect that the workflow exclusively uses the CRATES_IO_TOKEN secret.
- The large block of commented-out steps for the old OIDC-based publish flow can be removed to keep the workflow minimal and easier to maintain unless you expect to toggle back to it soon.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The comments around the publish step still describe using OIDC and 'OR' options, which is now misleading; update the comments to reflect that the workflow exclusively uses the CRATES_IO_TOKEN secret.
- The large block of commented-out steps for the old OIDC-based publish flow can be removed to keep the workflow minimal and easier to maintain unless you expect to toggle back to it soon.
## Individual Comments
### Comment 1
<location path=".github/workflows/rust-publish.yml" line_range="209" />
<code_context>
- name: Publish
env:
- CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+ CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
run:
cargo publish
</code_context>
<issue_to_address>
**🚨 issue (security):** Consider implications of switching from OIDC to a long-lived API token
Using a static `CRATES_IO_TOKEN` instead of the OIDC-based `rust-lang/crates-io-auth-action` introduces a long-lived secret where there was previously an ephemeral credential. If this is required (e.g., due to environment/OIDC limitations), please ensure the token is minimally scoped, easy to rotate, and that this persistent secret dependency is documented. If OIDC is still an option, consider keeping it as the default and using the token only as a fallback to reduce exposure.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| - name: Publish | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} |
There was a problem hiding this comment.
🚨 issue (security): Consider implications of switching from OIDC to a long-lived API token
Using a static CRATES_IO_TOKEN instead of the OIDC-based rust-lang/crates-io-auth-action introduces a long-lived secret where there was previously an ephemeral credential. If this is required (e.g., due to environment/OIDC limitations), please ensure the token is minimally scoped, easy to rotate, and that this persistent secret dependency is documented. If OIDC is still an option, consider keeping it as the default and using the token only as a fallback to reduce exposure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.