Bump rust-lang/crates-io-auth-action from 1 to 1.0.4#374
Conversation
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing how the action is used and what changed in the upstream dependency. Supply-chain malware reviewClassic obfuscation — clear
Invisible Unicode / GlassWorm — clear
Dependency integrity — clear
Dependabot-specific — clear
Scanner vs manual review
Action: Safe to merge from a supply-chain perspective. Optional hardening: pin to commit SHA instead of Compatibility AnalysisAnalyzing how this action is used in the repo and what changed upstream. Compatibility & adoption analysis1) Usage in this repoSingle call site: - uses: rust-lang/crates-io-auth-action@v1.0.4
if: env.RELEASE == 'true'
id: auth
- name: Publish to crates.io
if: env.RELEASE == 'true'
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
# See comment above for why `--allow-dirty` is used.
run: |
cp -r src rust_bindings/cpp
cargo publish -p chiavdf --allow-dirty
PR change: one-line pin 2) Intersection with upstream changesUpstream changes between v1.0.0 and v1.0.4 are internal; the consumer-facing contract is unchanged:
Release-note items (tsdown, eslint, vitest, Renovate config) are dev/CI-only and do not affect workflow usage. 3) Risks / unknowns
No input/output renames, no new required inputs, no changes to the token flow your workflow depends on. 4) Recommendation: merge-with-caveatsSafe to merge. The bump pins a semver patch within the v1 line with no public API changes and matches your existing usage pattern. Caveat: Confirm on the next release that the Optional hardening (not required for merge): pin to commit SHA instead of Malware Scan Summary
Top findings
|
|
@dependabot rebase |
Bumps [rust-lang/crates-io-auth-action](https://github.com/rust-lang/crates-io-auth-action) from 1 to 1.0.4. - [Release notes](https://github.com/rust-lang/crates-io-auth-action/releases) - [Commits](rust-lang/crates-io-auth-action@v1...v1.0.4) --- updated-dependencies: - dependency-name: rust-lang/crates-io-auth-action dependency-version: 1.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
980adde to
c25ca35
Compare
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing the dependency update: I'll inspect how the action is used in workflows and analyze upstream changes against the malware scan findings. This PR only pins Supply-chain review
Scanner interpretation Status is warn with 204 heuristic hits, but these are false positives for this package:
Recommendation: Safe to merge from a malware/supply-chain perspective. Pinning Compatibility AnalysisI'll trace where Compatibility & adoption analysis1) Where it’s usedSingle production usage in - uses: rust-lang/crates-io-auth-action@v1.0.4
if: env.RELEASE == 'true'
id: auth
- name: Publish to crates.io
if: env.RELEASE == 'true'
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
# See comment above for why `--allow-dirty` is used.
run: |
cp -r src rust_bindings/cpp
cargo publish -p chiavdf --allow-dirty
permissions:
id-token: write
contents: readNo other workflow references. 2) Intersection with upstream changes (
|
| Surface | Change? |
|---|---|
inputs.url |
No |
outputs.token |
No |
| Trusted-publishing flow (JWT → token → revoke) | No |
action.yml |
Only runtime: node20 → node24 |
Source diffs are limited to logging/error formatting, build tooling (tsup→tsdown), and dependency bumps (@actions/core 1→3, Node 24). No changes to main.ts logic or the public API between v1.0.4 and current @v1.
Your usage matches the stable API exactly — default registry, id: auth, steps.auth.outputs.token.
3) Risks / unknowns
| Risk | Severity | Notes |
|---|---|---|
| Release-only path untested in PR CI | Medium | Auth/publish steps are skipped unless RELEASE == 'true'. PR checks won’t validate token retrieval. |
| Node 24 runtime | Low | Action now requires using: node24. Supported on GitHub-hosted ubuntu-latest; no repo-side config needed. |
Pin slightly behind floating @v1 |
Low | Current @v1 is ~v1.0.5; this PR pins v1.0.4. No consumer-facing diff found between those tags. |
| Trusted publishing config on crates.io | Pre-existing | Must be configured for chiavdf / this repo. Independent of action version, but required for release publish to succeed. |
| Malware scan | Low | Status warn; heuristics on bundled dist/ JS only. No IOC/unicode/confusable hits. |
4) Recommendation: merge-with-caveats
Safe to merge: no API mismatch, permissions are correct, and usage is the documented default pattern.
Caveats before relying on it in production:
- Confirm the next release workflow run succeeds through the auth + publish steps (only real validation).
- Optionally bump to
@v1.0.5or keep@v1if you prefer the latest patch without changing behavior.
No hold warranted unless you want to wait for a release dry-run that exercises trusted publishing end-to-end.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
12 - Resolution strategy:
commit_list - Changed node/vendor paths:
0 - Changed lockfiles:
2 - Resolved refs: from=
n/ato=bbd81622f20ce9e2dd9622e3218b975523e45bbe - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
204
Top findings
dist/chunk1.js:967codepoint_decoder ::if ((this.code = key.charCodeAt(index)) > 127) throw new TypeError("key must be ascii string");dist/chunk1.js:981codepoint_decoder ::const code = key.charCodeAt(index);dist/chunk1.js:1387codepoint_decoder ::for (let i = 0; i < characters.length; ++i) if (!isTokenCharCode(characters.charCodeAt(i))) return false;dist/chunk1.js:2681codepoint_decoder ::for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {dist/chunk1.js:3271codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) {dist/chunk1.js:3273codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) --dataLength;dist/chunk1.js:3373codepoint_decoder ::if (leading) while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;dist/chunk1.js:3374codepoint_decoder ::if (trailing) while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;dist/chunk1.js:3665codepoint_decoder ::for (let index = 0; index < x.length; index++) if (x.charCodeAt(index) > 255) throw new TypeError(Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.);dist/chunk1.js:3805codepoint_decoder ::const code = url.charCodeAt(i);dist/chunk1.js:3833codepoint_decoder ::const c = statusText.charCodeAt(i);dist/chunk1.js:4363codepoint_decoder ::if (data.charCodeAt(position.position) !== 61) return "failure";dist/chunk1.js:4367codepoint_decoder ::const code = char.charCodeAt(0);dist/chunk1.js:4372codepoint_decoder ::if (data.charCodeAt(position.position) !== 45) return "failure";dist/chunk1.js:4376codepoint_decoder ::const code = char.charCodeAt(0);dist/chunk1.js:4472codepoint_decoder ::if (position.position < input.length) if (input.charCodeAt(position.position) === 34) {dist/chunk1.js:4476codepoint_decoder ::assert$22(input.charCodeAt(position.position) === 44);dist/chunk1.js:4799codepoint_decoder ::for (let i = 0; i < chars.length; ++i) if ((chars.charCodeAt(i) & -128) !== 0) return false;dist/chunk1.js:4810codepoint_decoder ::const cp = boundary.charCodeAt(i);dist/chunk1.js:9950codepoint_decoder ::while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j;
Bumps rust-lang/crates-io-auth-action from 1 to 1.0.4.
Release notes
Sourced from rust-lang/crates-io-auth-action's releases.
... (truncated)
Commits
bbd8162Merge pull request #213 from rust-lang/update-to-actions-core-38c12a02update to actions core 357ca10cMerge pull request #212 from rust-lang/update-to-node-2403c291bupdate to node 2416020e9Merge pull request #192 from rust-lang/renovate/lock-file-maintenanceeea9b15chore(deps): lock file maintenance0beb7deMerge pull request #211 from rust-lang/update-tsdown-to-v0-21e143bcefix deprecationb1c8245update tsdown to v0.21bec4b39Merge pull request #209 from rust-lang/renovate/major-github-actionsNote
Low Risk
Single CI dependency pin with no application code changes; release publish still uses the same auth step and token wiring.
Overview
Pins
rust-lang/crates-io-auth-actionin the Rust bindings workflow from the floating@v1tag to@v1.0.4, so release-only crates.io auth uses a fixed action version.No workflow logic or publish steps change; only the action reference in
build_crateis updated.Reviewed by Cursor Bugbot for commit c25ca35. Bugbot is set up for automated code reviews on this repo. Configure here.