Update cargo-vet with trusted publishing support #12285
Merged
+827
−762
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This updates the `cargo vet` used in CI to include support for trusted publishing. This is necessary now that the latest version of Wasmtime (40.0.1) is published with trusted publishing. I'm not entirely sure why this is necessary, but it's going to be inevitable in the future anyway as we transition to trusted publishing. The `cargo vet` tool is now installed from git and new wildcard audits for all wasmtime, wasm-tools, and wit-bindgen crates are added for the appropriate trusted-publisher. Maintainers will need to install cargo-vet from git as well, but unfortunately after the publish of 40.0.1 yesterday I don't think we have an option as otherwise CI is broken.
alexcrichton
added a commit
to alexcrichton/wasmtime
that referenced
this pull request
Jan 9, 2026
) This updates the `cargo vet` used in CI to include support for trusted publishing. This is necessary now that the latest version of Wasmtime (40.0.1) is published with trusted publishing. I'm not entirely sure why this is necessary, but it's going to be inevitable in the future anyway as we transition to trusted publishing. The `cargo vet` tool is now installed from git and new wildcard audits for all wasmtime, wasm-tools, and wit-bindgen crates are added for the appropriate trusted-publisher. Maintainers will need to install cargo-vet from git as well, but unfortunately after the publish of 40.0.1 yesterday I don't think we have an option as otherwise CI is broken.
alexcrichton
added a commit
that referenced
this pull request
Jan 9, 2026
* Migrate this workspace to using trusted publishing (#12257) This commit updates CI config and such to ensure that we're compatible with crates.io-based trusted publishing. Eventually we'll want the restriction that only `wasmtime-publish` is the user on all of our crates, but for now this needs to land and get backported before that's done. Changes here are: * The `publish-to-cratesio.yml` workflow now uses `rust-lang/crates-io-auth-action@v1` to get a crates.io-based token. The in-repository secret is no longer used. * The `publish-to-cratesio.yml` workflow has a new github "Environment" it runs in named `publish` * The publish script no longer adds the `github:bytecodealliance:wasmtime-publish` user to crates. * The publish script now verifies that the `wasmtime-publish` github users is on all crates. * Eventually the publish script will verify that it's the only user on all the crates, but that's left for a future PR. External changes are: * A new `publish` "Environment" was added to this repository. * All crates are configured on crates.io to have a trusted publishing workflow for this repository. * All crates now require being published through a trusted publishing workflow. My plan is to backport this to the 40.0.0 branch, run a point release, fix anything that comes up, and then backport this to all supported branches of Wasmtime. * Update cargo-vet with trusted publishing support (#12285) This updates the `cargo vet` used in CI to include support for trusted publishing. This is necessary now that the latest version of Wasmtime (40.0.1) is published with trusted publishing. I'm not entirely sure why this is necessary, but it's going to be inevitable in the future anyway as we transition to trusted publishing. The `cargo vet` tool is now installed from git and new wildcard audits for all wasmtime, wasm-tools, and wit-bindgen crates are added for the appropriate trusted-publisher. Maintainers will need to install cargo-vet from git as well, but unfortunately after the publish of 40.0.1 yesterday I don't think we have an option as otherwise CI is broken.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates the
cargo vetused in CI to include support for trusted publishing. This is necessary now that the latest version of Wasmtime (40.0.1) is published with trusted publishing. I'm not entirely sure why this is necessary, but it's going to be inevitable in the future anyway as we transition to trusted publishing.The
cargo vettool is now installed from git and new wildcard audits for all wasmtime, wasm-tools, and wit-bindgen crates are added for the appropriate trusted-publisher. Maintainers will need to install cargo-vet from git as well, but unfortunately after the publish of 40.0.1 yesterday I don't think we have an option as otherwise CI is broken.Closes #12283