Skip to content

Bump rust-lang/crates-io-auth-action from 1 to 1.0.4#374

Merged
hoffmang9 merged 1 commit into
mainfrom
dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.4
Jun 16, 2026
Merged

Bump rust-lang/crates-io-auth-action from 1 to 1.0.4#374
hoffmang9 merged 1 commit into
mainfrom
dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Bumps rust-lang/crates-io-auth-action from 1 to 1.0.4.

Release notes

Sourced from rust-lang/crates-io-auth-action's releases.

v1.0.4

What's Changed

Full Changelog: rust-lang/crates-io-auth-action@v1.0.3...v1.0.4

v1.0.3

What's Changed

Full Changelog: rust-lang/crates-io-auth-action@v1.0.2...v1.0.3

v1.0.2

What's Changed

New Contributors

Full Changelog: rust-lang/crates-io-auth-action@v1.0.1...v1.0.2

v1.0.1

What's Changed

... (truncated)

Commits
  • bbd8162 Merge pull request #213 from rust-lang/update-to-actions-core-3
  • 8c12a02 update to actions core 3
  • 57ca10c Merge pull request #212 from rust-lang/update-to-node-24
  • 03c291b update to node 24
  • 16020e9 Merge pull request #192 from rust-lang/renovate/lock-file-maintenance
  • eea9b15 chore(deps): lock file maintenance
  • 0beb7de Merge pull request #211 from rust-lang/update-tsdown-to-v0-21
  • e143bce fix deprecation
  • b1c8245 update tsdown to v0.21
  • bec4b39 Merge pull request #209 from rust-lang/renovate/major-github-actions
  • Additional commits viewable in compare view


Note

Low Risk
Single CI dependency pin with no application code changes; release publish still uses the same auth step and token wiring.

Overview
Pins rust-lang/crates-io-auth-action in the Rust bindings workflow from the floating @v1 tag to @v1.0.4, so release-only crates.io auth uses a fixed action version.

No workflow logic or publish steps change; only the action reference in build_crate is updated.

Reviewed by Cursor Bugbot for commit c25ca35. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 16, 2026
@github-actions

Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how the action is used and what changed in the upstream dependency.
Verdict: benign

Supply-chain malware review

Classic obfuscation — clear

  • No eval/Function/base64/XOR patterns in upstream src/; bundled dist/chunk1.js only has routine charCodeAt/fromCharCode from HTTP/stdlib bundling (tsdown output).
  • Network calls are limited to the configured registry (https://crates.io/api/v1/trusted_publishing/tokens by default) plus GitHub OIDC — expected for this action.
  • No filesystem persistence, shell spawning in action source, or typosquatting (rust-lang/crates-io-auth-action is the official Rust project).
  • package.json has no preinstall/install/postinstall lifecycle scripts — only package, format, lint, test.

Invisible Unicode / GlassWorm — clear

  • Scanner: 0 unicode, confusable, and IOC findings after allowlist.
  • Source changes between versions are normal (logging, test API, JSON import syntax) with no hidden-character indicators.

Dependency integrity — clear

  • Resolved commit bbd8162 matches tagged release v1.0.4; semver tags exist through v1.0.5.
  • Changes align with release notes: Node 20→24, @actions/core 1→3, tsup→tsdown, lockfile maintenance — no ghost version or unexpected publisher drift.
  • child_process / @actions/exec hits in scanner are transitive GitHub Actions toolkit deps, not new runtime behavior.

Dependabot-specific — clear

  • Local PR change is a single version pin in .github/workflows/rust.yml (@v1@v1.0.4); no unrelated workflow logic added.
  • Workflow already has permissions: id-token: write, which v1.0.4 requires.

Scanner vs manual review

  • Scanner status warn with 204 heuristic hits; I treat these as false positives:
    • codepoint_decoder: minified fetch/HTTP parsing in dist/chunk1.js
    • shell_process_spawn: @actions/exec / cross-spawn in pnpm-lock.yaml and bundled imports
    • credential_exfil_indicator: legitimate trusted-publishing token exchange (getTokensEndpoint, fetch(tokensEndpoint, …))
  • No disagreement on high-confidence categories (unicode/IOC/confusable all clean).

Action: Safe to merge from a supply-chain perspective. Optional hardening: pin to commit SHA instead of @v1.0.4 if your org requires immutable action refs. Confirm the release publish job succeeds on GitHub-hosted runners (Node 24 runtime requirement).

Compatibility Analysis

Analyzing how this action is used in the repo and what changed upstream.

Compatibility & adoption analysis

1) Usage in this repo

Single call site: .github/workflows/rust.yml, build_crate job.

      - uses: rust-lang/crates-io-auth-action@v1.0.4
        if: env.RELEASE == 'true'
        id: auth

      - name: Publish to crates.io
        if: env.RELEASE == 'true'
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
        # See comment above for why `--allow-dirty` is used.
        run: |
          cp -r src rust_bindings/cpp
          cargo publish -p chiavdf --allow-dirty
  • Default config only (no with: inputs).
  • Consumes the token output.
  • Runs only when env.RELEASE == 'true' (release publish path).
  • Workflow already sets permissions: id-token: write (required for OIDC).

PR change: one-line pin @v1@v1.0.4.


2) Intersection with upstream changes

Upstream changes between v1.0.0 and v1.0.4 are internal; the consumer-facing contract is unchanged:

Surface v1 / v1.0.0 v1.0.4 Used here?
Input url optional, default https://crates.io same No (default)
Output token yes yes Yes
Runtime node20 node24 implicit
src/main.ts logic trusted publishing flow unchanged yes (indirectly)

Release-note items (tsdown, eslint, vitest, Renovate config) are dev/CI-only and do not affect workflow usage.


3) Risks / unknowns

Risk Severity Notes
Release-only execution Medium PR/push CI never runs the auth step; real validation waits until the next release publish.
Node 24 runtime Low Only workflow-visible change. Supported on GitHub-hosted runners; unlikely to break.
Trusted publishing config Pre-existing crates.io trusted publishing must already be set up for chiavdf; not introduced by this bump.
Supply chain Low Official rust-lang action; malware review flagged benign.

No input/output renames, no new required inputs, no changes to the token flow your workflow depends on.


4) Recommendation: merge-with-caveats

Safe to merge. The bump pins a semver patch within the v1 line with no public API changes and matches your existing usage pattern.

Caveat: Confirm on the next release that the build_crate publish job completes (auth + cargo publish). PR CI will not exercise this path because of if: env.RELEASE == 'true'.

Optional hardening (not required for merge): pin to commit SHA instead of @v1.0.4 if your org requires immutable action refs.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 12
  • Resolution strategy: commit_list
  • Changed node/vendor paths: 0
  • Changed lockfiles: 2
  • Resolved refs: from=n/a to=bbd81622f20ce9e2dd9622e3218b975523e45bbe
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 204

Top findings

  • dist/chunk1.js:967 codepoint_decoder :: if ((this.code = key.charCodeAt(index)) > 127) throw new TypeError("key must be ascii string");
  • dist/chunk1.js:981 codepoint_decoder :: const code = key.charCodeAt(index);
  • dist/chunk1.js:1387 codepoint_decoder :: for (let i = 0; i < characters.length; ++i) if (!isTokenCharCode(characters.charCodeAt(i))) return false;
  • dist/chunk1.js:2681 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • dist/chunk1.js:3271 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • dist/chunk1.js:3273 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) --dataLength;
  • dist/chunk1.js:3373 codepoint_decoder :: if (leading) while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;
  • dist/chunk1.js:3374 codepoint_decoder :: if (trailing) while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;
  • dist/chunk1.js:3665 codepoint_decoder :: for (let index = 0; index < x.length; index++) if (x.charCodeAt(index) > 255) throw new TypeError(Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.);
  • dist/chunk1.js:3805 codepoint_decoder :: const code = url.charCodeAt(i);
  • dist/chunk1.js:3833 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • dist/chunk1.js:4363 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) return "failure";
  • dist/chunk1.js:4367 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4372 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) return "failure";
  • dist/chunk1.js:4376 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4472 codepoint_decoder :: if (position.position < input.length) if (input.charCodeAt(position.position) === 34) {
  • dist/chunk1.js:4476 codepoint_decoder :: assert$22(input.charCodeAt(position.position) === 44);
  • dist/chunk1.js:4799 codepoint_decoder :: for (let i = 0; i < chars.length; ++i) if ((chars.charCodeAt(i) & -128) !== 0) return false;
  • dist/chunk1.js:4810 codepoint_decoder :: const cp = boundary.charCodeAt(i);
  • dist/chunk1.js:9950 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j;

@hoffmang9

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [rust-lang/crates-io-auth-action](https://github.com/rust-lang/crates-io-auth-action) from 1 to 1.0.4.
- [Release notes](https://github.com/rust-lang/crates-io-auth-action/releases)
- [Commits](rust-lang/crates-io-auth-action@v1...v1.0.4)

---
updated-dependencies:
- dependency-name: rust-lang/crates-io-auth-action
  dependency-version: 1.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.4 branch from 980adde to c25ca35 Compare June 16, 2026 22:30
@github-actions

Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update: I'll inspect how the action is used in workflows and analyze upstream changes against the malware scan findings.
Verdict: benign

This PR only pins rust-lang/crates-io-auth-action from the floating @v1 tag to @v1.0.4 in .github/workflows/rust.yml for the release-only crates.io publish step. That is a normal, expected Dependabot change with no extra workflow logic added.

Supply-chain review

Category Assessment
Classic obfuscation No eval/Function, no suspicious lifecycle scripts (package.json has only package/format/lint/test). Large dist/chunk1.js is expected bundled output from the tsup→tsdown migration; base64/WASM there matches bundled HTTP stack (e.g. llhttp/undici), not hidden payloads.
Network / exfil Action behavior is unchanged and intentional: GitHub OIDC JWT → POST {registryUrl}/api/v1/trusted_publishing/tokens → token output; post step DELETEs the same endpoint. No unexpected third-party hosts in src/.
Unicode / GlassWorm Scanner: 0 unicode, 0 confusable, 0 IOC findings.
Dependency integrity Upstream delta (v1.0.0→v1.0.4) is toolchain modernization: Node 20→24, @actions/core 1→3, dev-deps/lockfile refresh. Core source changes are minor logging/error-message tweaks. Tags v1.0.0v1.0.4 exist; resolved commit bbd8162 matches release notes. Maintainer is still rust-lang.
Dependabot context No new install hooks, no vendor/node_modules changes in this repo—only the action version reference.

Scanner interpretation

Status is warn with 204 heuristic hits, but these are false positives for this package:

  • codepoint_decoder — routine charCodeAt usage in bundled HTTP/parser code.
  • shell_process_spawn@actions/exec / cross-spawn in lockfile and bundled GitHub Actions tooling.
  • credential_exfil_indicator — flags the action’s core job (fetch token, revoke token); expected, not exfil to an unknown host.
  • maintainer_drift — triggered by version string 1→1.0.4, not a publisher/account change.

Recommendation: Safe to merge from a malware/supply-chain perspective. Pinning @v1.0.4 is slightly stronger than a floating @v1 tag. After merge, confirm the release workflow still passes on a runner with Node 24 support (standard on current GitHub-hosted runners).

Compatibility Analysis

I'll trace where crates-io-auth-action is used and compare that with upstream changes between v1 and v1.0.4.

Compatibility & adoption analysis

1) Where it’s used

Single production usage in .github/workflows/rust.yml, build_crate job:

      - uses: rust-lang/crates-io-auth-action@v1.0.4
        if: env.RELEASE == 'true'
        id: auth

      - name: Publish to crates.io
        if: env.RELEASE == 'true'
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
        # See comment above for why `--allow-dirty` is used.
        run: |
          cp -r src rust_bindings/cpp
          cargo publish -p chiavdf --allow-dirty
  • Default inputs only (no custom url).
  • Consumes the token output.
  • Gated on env.RELEASE == 'true' (actual release publishes only).
  • Workflow already grants required OIDC permission:
permissions:
  id-token: write
  contents: read

No other workflow references. cargo publish --dry-run in the same job does not use the action.


2) Intersection with upstream changes (@v1@v1.0.4)

Upstream changes between early v1 and v1.0.4 are internal; the consumer contract is unchanged:

Surface Change?
inputs.url No
outputs.token No
Trusted-publishing flow (JWT → token → revoke) No
action.yml Only runtime: node20node24

Source diffs are limited to logging/error formatting, build tooling (tsup→tsdown), and dependency bumps (@actions/core 1→3, Node 24). No changes to main.ts logic or the public API between v1.0.4 and current @v1.

Your usage matches the stable API exactly — default registry, id: auth, steps.auth.outputs.token.


3) Risks / unknowns

Risk Severity Notes
Release-only path untested in PR CI Medium Auth/publish steps are skipped unless RELEASE == 'true'. PR checks won’t validate token retrieval.
Node 24 runtime Low Action now requires using: node24. Supported on GitHub-hosted ubuntu-latest; no repo-side config needed.
Pin slightly behind floating @v1 Low Current @v1 is ~v1.0.5; this PR pins v1.0.4. No consumer-facing diff found between those tags.
Trusted publishing config on crates.io Pre-existing Must be configured for chiavdf / this repo. Independent of action version, but required for release publish to succeed.
Malware scan Low Status warn; heuristics on bundled dist/ JS only. No IOC/unicode/confusable hits.

4) Recommendation: merge-with-caveats

Safe to merge: no API mismatch, permissions are correct, and usage is the documented default pattern.

Caveats before relying on it in production:

  1. Confirm the next release workflow run succeeds through the auth + publish steps (only real validation).
  2. Optionally bump to @v1.0.5 or keep @v1 if you prefer the latest patch without changing behavior.

No hold warranted unless you want to wait for a release dry-run that exercises trusted publishing end-to-end.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 12
  • Resolution strategy: commit_list
  • Changed node/vendor paths: 0
  • Changed lockfiles: 2
  • Resolved refs: from=n/a to=bbd81622f20ce9e2dd9622e3218b975523e45bbe
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 204

Top findings

  • dist/chunk1.js:967 codepoint_decoder :: if ((this.code = key.charCodeAt(index)) > 127) throw new TypeError("key must be ascii string");
  • dist/chunk1.js:981 codepoint_decoder :: const code = key.charCodeAt(index);
  • dist/chunk1.js:1387 codepoint_decoder :: for (let i = 0; i < characters.length; ++i) if (!isTokenCharCode(characters.charCodeAt(i))) return false;
  • dist/chunk1.js:2681 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • dist/chunk1.js:3271 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • dist/chunk1.js:3273 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) --dataLength;
  • dist/chunk1.js:3373 codepoint_decoder :: if (leading) while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;
  • dist/chunk1.js:3374 codepoint_decoder :: if (trailing) while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;
  • dist/chunk1.js:3665 codepoint_decoder :: for (let index = 0; index < x.length; index++) if (x.charCodeAt(index) > 255) throw new TypeError(Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.);
  • dist/chunk1.js:3805 codepoint_decoder :: const code = url.charCodeAt(i);
  • dist/chunk1.js:3833 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • dist/chunk1.js:4363 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) return "failure";
  • dist/chunk1.js:4367 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4372 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) return "failure";
  • dist/chunk1.js:4376 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4472 codepoint_decoder :: if (position.position < input.length) if (input.charCodeAt(position.position) === 34) {
  • dist/chunk1.js:4476 codepoint_decoder :: assert$22(input.charCodeAt(position.position) === 44);
  • dist/chunk1.js:4799 codepoint_decoder :: for (let i = 0; i < chars.length; ++i) if ((chars.charCodeAt(i) & -128) !== 0) return false;
  • dist/chunk1.js:4810 codepoint_decoder :: const cp = boundary.charCodeAt(i);
  • dist/chunk1.js:9950 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j;

@hoffmang9 hoffmang9 merged commit 39712ec into main Jun 16, 2026
67 checks passed
@hoffmang9 hoffmang9 deleted the dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.4 branch June 16, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant