Merge pull request #12365 from Turbo87/trustpub-only

Add `trustpub_only` flag

Author: Turbo87

crates/crates_io_api_types/src/lib.rs

@@ -361,6 +361,9 @@ pub struct EncodableCrate {
     /// Whether the crate name was an exact match.
     #[schema(deprecated)]
     pub exact_match: bool,
+
+    /// Whether this crate can only be published via Trusted Publishing.
+    pub trustpub_only: bool,
 }
 
 impl EncodableCrate {
@@ -386,6 +389,7 @@ impl EncodableCrate {
             homepage,
             documentation,
             repository,
+            trustpub_only,
             ..
         } = krate;
         let versions_link = match versions {
@@ -451,6 +455,7 @@ impl EncodableCrate {
             exact_match,
             description,
             repository,
+            trustpub_only,
             links: EncodableCrateLinks {
                 version_downloads: format!("/api/v1/crates/{name}/downloads"),
                 versions: versions_link,
@@ -1201,6 +1206,7 @@ mod tests {
                 reverse_dependencies: "".to_string(),
             },
             exact_match: false,
+            trustpub_only: false,
         };
         let json = serde_json::to_string(&crt).unwrap();
         assert_some!(json.as_str().find(r#""updated_at":"2017-01-06T14:23:11Z""#));

crates/crates_io_database/src/models/krate.rs

@@ -37,6 +37,7 @@ pub struct Crate {
     pub repository: Option<String>,
     pub max_upload_size: Option<i32>,
     pub max_features: Option<i16>,
+    pub trustpub_only: bool,
 }
 
 /// We literally never want to select `textsearchable_index_col`
@@ -52,6 +53,7 @@ type AllColumns = (
     crates::repository,
     crates::max_upload_size,
     crates::max_features,
+    crates::trustpub_only,
 );
 
 pub const ALL_COLUMNS: AllColumns = (
@@ -65,6 +67,7 @@ pub const ALL_COLUMNS: AllColumns = (
     crates::repository,
     crates::max_upload_size,
     crates::max_features,
+    crates::trustpub_only,
 );
 
 pub const MAX_NAME_LENGTH: usize = 64;

crates/crates_io_database/src/schema.rs

@@ -374,6 +374,8 @@ diesel::table! {
         ///
         /// (Automatically generated by Diesel.)
         textsearchable_index_col -> Tsvector,
+        /// When true, this crate can only be published via Trusted Publishing, not with API tokens
+        trustpub_only -> Bool,
         /// The `updated_at` column of the `crates` table.
         ///
         /// Its SQL type is `Timestamptz`.

crates/crates_io_database_dump/src/dump-db.toml

@@ -92,6 +92,7 @@ textsearchable_index_col = "private" # This Postgres specific and can be derived
 repository = "public"
 max_upload_size = "public"
 max_features = "public"
+trustpub_only = "public"
 
 [crates_categories]
 dependencies = ["categories", "crates"]

crates/crates_io_database_dump/src/snapshots/crates_io_database_dump__tests__sql_scripts@export.sql.snap

@@ -6,7 +6,7 @@ BEGIN ISOLATION LEVEL REPEATABLE READ, READ ONLY;
 
     \copy "categories" ("category", "crates_cnt", "created_at", "description", "id", "path", "slug") TO 'data/categories.csv' WITH CSV HEADER
     \copy "crate_downloads" ("crate_id", "downloads") TO 'data/crate_downloads.csv' WITH CSV HEADER
-    \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "updated_at") TO 'data/crates.csv' WITH CSV HEADER
+    \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "trustpub_only", "updated_at") TO 'data/crates.csv' WITH CSV HEADER
     \copy "keywords" ("crates_cnt", "created_at", "id", "keyword") TO 'data/keywords.csv' WITH CSV HEADER
     \copy "metadata" ("total_downloads") TO 'data/metadata.csv' WITH CSV HEADER
     \copy "reserved_crate_names" ("name") TO 'data/reserved_crate_names.csv' WITH CSV HEADER

crates/crates_io_database_dump/src/snapshots/crates_io_database_dump__tests__sql_scripts@import.sql.snap

@@ -50,7 +50,7 @@ BEGIN;
 
     \copy "categories" ("category", "crates_cnt", "created_at", "description", "id", "path", "slug") FROM 'data/categories.csv' WITH CSV HEADER
     \copy "crate_downloads" ("crate_id", "downloads") FROM 'data/crate_downloads.csv' WITH CSV HEADER
-    \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "updated_at") FROM 'data/crates.csv' WITH CSV HEADER
+    \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "trustpub_only", "updated_at") FROM 'data/crates.csv' WITH CSV HEADER
     \copy "keywords" ("crates_cnt", "created_at", "id", "keyword") FROM 'data/keywords.csv' WITH CSV HEADER
     \copy "metadata" ("total_downloads") FROM 'data/metadata.csv' WITH CSV HEADER
     \copy "reserved_crate_names" ("name") FROM 'data/reserved_crate_names.csv' WITH CSV HEADER

crates/crates_io_test_utils/src/builders/krate.rs

@@ -16,6 +16,7 @@ pub struct CrateBuilder<'a> {
     krate: NewCrate<'a>,
     owner_id: i32,
     recent_downloads: Option<i32>,
+    trustpub_only: bool,
     updated_at: Option<DateTime<Utc>>,
     versions: Vec<VersionBuilder>,
 }
@@ -34,6 +35,7 @@ impl<'a> CrateBuilder<'a> {
             },
             owner_id,
             recent_downloads: None,
+            trustpub_only: false,
             updated_at: None,
             versions: Vec::new(),
         }
@@ -113,6 +115,12 @@ impl<'a> CrateBuilder<'a> {
         self
     }
 
+    /// Sets the crate's `trustpub_only` flag.
+    pub fn trustpub_only(mut self, trustpub_only: bool) -> Self {
+        self.trustpub_only = trustpub_only;
+        self
+    }
+
     pub async fn build(mut self, connection: &mut AsyncPgConnection) -> anyhow::Result<Crate> {
         use diesel::{insert_into, select, update};
 
@@ -171,6 +179,14 @@ impl<'a> CrateBuilder<'a> {
                 .await?;
         }
 
+        if self.trustpub_only {
+            krate = update(&krate)
+                .set(crates::trustpub_only.eq(true))
+                .returning(Crate::as_returning())
+                .get_result(connection)
+                .await?;
+        }
+
         update_default_version(krate.id, connection).await?;
 
         Ok(krate)

migrations/2025-11-19-091444-0000_add_trustpub_only_to_crates/down.sql

@@ -0,0 +1 @@
+ALTER TABLE crates DROP COLUMN trustpub_only;

migrations/2025-11-19-091444-0000_add_trustpub_only_to_crates/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE crates ADD COLUMN trustpub_only BOOLEAN NOT NULL DEFAULT FALSE;
+COMMENT ON COLUMN crates.trustpub_only IS 'When true, this crate can only be published via Trusted Publishing, not with API tokens';

src/controllers/krate.rs

@@ -15,6 +15,7 @@ pub mod owners;
 pub mod publish;
 pub mod rev_deps;
 pub mod search;
+pub mod update;
 pub mod versions;
 
 #[derive(Deserialize, FromRequestParts, IntoParams)]