Skip to content

Bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5#377

Merged
hoffmang9 merged 1 commit into
mainfrom
dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.5
Jun 23, 2026
Merged

Bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5#377
hoffmang9 merged 1 commit into
mainfrom
dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5.

Release notes

Sourced from rust-lang/crates-io-auth-action's releases.

v1.0.5

What's Changed

Internal changes

Full Changelog: rust-lang/crates-io-auth-action@v1.0.4...v1.0.5

Commits
  • c6f97d4 Merge pull request #259 from rust-lang/renovate/lock-file-maintenance
  • b929a92 package dist
  • 9d23f3b chore(deps): lock file maintenance
  • 2b6b194 Merge pull request #263 from rust-lang/ci-links-accept-403-as-failure
  • 1a7afc2 ci(links): accept 403 as success
  • 701b15c Merge pull request #260 from rust-lang/renovate/tsdown-0.x-lockfile
  • cf898e1 package dist
  • 1a6a621 chore(deps): update dependency tsdown to v0.22.2
  • 9f93ac2 Merge pull request #261 from rust-lang/renovate/github-actions
  • 5463451 chore(deps): update github actions to v6.0.3
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Patch-level GitHub Action bump with unchanged inputs/outputs; no application or security logic changes.

Overview
Updates the Rust bindings workflow’s crates.io publish step to use rust-lang/crates-io-auth-action@v1.0.5 instead of v1.0.4. The step still runs only on release (env.RELEASE == 'true') and feeds steps.auth.outputs.token into CARGO_REGISTRY_TOKEN for cargo publish; no other workflow logic changes.

Reviewed by Cursor Bugbot for commit a61a3f1. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [rust-lang/crates-io-auth-action](https://github.com/rust-lang/crates-io-auth-action) from 1.0.4 to 1.0.5.
- [Release notes](https://github.com/rust-lang/crates-io-auth-action/releases)
- [Commits](rust-lang/crates-io-auth-action@v1.0.4...v1.0.5)

---
updated-dependencies:
- dependency-name: rust-lang/crates-io-auth-action
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 23, 2026
@github-actions

Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how the action is used and what changed upstream between 1.0.4 and 1.0.5.
Verdict: benign

This is a low-risk patch bump from the official rust-lang/crates-io-auth-action repo. The PR only changes the version pin in .github/workflows/rust.yml (v1.0.4v1.0.5).

Upstream change analysis (v1.0.4 → v1.0.5)

  • No application source changessrc/, action.yml, dist/main.js, and dist/post.js are unchanged.
  • Only rebuild/tooling churndist/chunk1.js was repackaged after devDependency updates (TypeScript 6, tsdown 0.22, @actions/core 3.0.0→3.0.1, lockfile maintenance). Commits are Renovate/toolchain PRs from rust-lang maintainers.
  • No install hookspackage.json has only package, format, lint, test; no preinstall/postinstall.
  • Expected auth behavior unchanged — the action still uses GitHub OIDC + a POST to the crates.io token endpoint; your workflow already has id-token: write.

Malware scanner (status: warn) — false positives, not compromise

Category Result Assessment
Unicode / GlassWorm 0 findings Clean
IOC 0 findings Clean
Heuristic (198) Mostly noise charCodeAt in bundled HTTP parsers (undici), token/cookie/id_token in OIDC/auth code, child_process from @actions/core, base64 WASM blobs — all expected for this action
Maintainer drift 1.0.4→1.0.5 Version-bump artifact, not publisher change

Checklist highlights

  • Obfuscation / eval / exfil: No eval() or new Function() in dist/chunk1.js; network/token usage matches documented trusted-publishing flow.
  • Unicode attacks: None detected.
  • Dependency integrity: Patch semver, valid tags, consistent commit history; no ghost version or typosquat.
  • Dependabot PR scope: Single workflow pin change; no unexpected local workflow or lockfile edits.

Recommendation: Approve and merge. Optional sanity check: run the build_crate job on a release workflow so the auth step still succeeds with v1.0.5.

Compatibility Analysis

I'll inspect how this action is used in the repo and compare it with the upstream v1.0.4→v1.0.5 changes.

Compatibility & adoption analysis — crates-io-auth-action 1.0.4 → 1.0.5

1) Usage in this repo

Single call site: .github/workflows/rust.yml, build_crate job.

      - uses: rust-lang/crates-io-auth-action@v1.0.5
        if: env.RELEASE == 'true'
        id: auth

      - name: Publish to crates.io
        if: env.RELEASE == 'true'
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
        # See comment above for why `--allow-dirty` is used.
        run: |
          cp -r src rust_bindings/cpp
          cargo publish -p chiavdf --allow-dirty
  • Purpose: OIDC-based crates.io trusted publishing on release.
  • Inputs used: none (defaults to https://crates.io).
  • Outputs used: tokenCARGO_REGISTRY_TOKEN.
  • Prerequisites already in place: workflow-level permissions: id-token: write; dry-run publish runs on every run; real auth/publish only when env.RELEASE == 'true'.

No other workflows reference this action.


2) Intersection with upstream changes

Upstream diff (v1.0.4..v1.0.5) shows no changes to:

  • action.yml (inputs/outputs contract)
  • src/ (application logic)
  • dist/main.js, dist/post.js (action entrypoints)

Changes are build/tooling only:

  • Dev deps: TypeScript 6, tsdown 0.22, @actions/core 3.0.0→3.0.1, lockfile maintenance
  • Upstream CI/renovate config (including links.yml accepting HTTP 403)
  • dist/chunk1.js repackaged (bundled deps), but entrypoints that import it are byte-identical

Local usage does not touch anything that changed:

  • Default url input — unchanged
  • token output — unchanged
  • No custom registry URL or other inputs

3) Risks / unknowns

Risk Severity Notes
Bundled runtime drift in dist/chunk1.js Low Only @actions/core patch bump; entrypoint logic unchanged
Auth path not exercised in PR CI Pre-existing Step is gated on RELEASE == 'true'; bump won't be validated until next release publish
Trusted publishing config on crates.io Pre-existing Required for release publish; unrelated to this patch
Malware scan warn Informational Heuristic hits on bundled JS; upstream is official rust-lang repo, patch-only tooling change

No breaking API changes, no new permissions, no new inputs required.


4) Recommendation: merge

Patch bump with no contract or source changes. Safe to adopt. The only validation gap (auth runs only on release) existed before this PR; confirm on the next release publish that OIDC token exchange succeeds.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 9
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 2
  • Resolved upstream range: bbd81622f20ce9e2dd9622e3218b975523e45bbe..c6f97d42243bad5fab37ca0427f495c86d5b1a18
  • Resolved refs: from=bbd81622f20ce9e2dd9622e3218b975523e45bbe to=c6f97d42243bad5fab37ca0427f495c86d5b1a18
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 198

Top findings

  • dist/chunk1.js:967 codepoint_decoder :: if ((this.code = key.charCodeAt(index)) > 127) throw new TypeError("key must be ascii string");
  • dist/chunk1.js:981 codepoint_decoder :: const code = key.charCodeAt(index);
  • dist/chunk1.js:1387 codepoint_decoder :: for (let i = 0; i < characters.length; ++i) if (!isTokenCharCode(characters.charCodeAt(i))) return false;
  • dist/chunk1.js:2681 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • dist/chunk1.js:3271 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • dist/chunk1.js:3273 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) --dataLength;
  • dist/chunk1.js:3373 codepoint_decoder :: if (leading) while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;
  • dist/chunk1.js:3374 codepoint_decoder :: if (trailing) while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;
  • dist/chunk1.js:3665 codepoint_decoder :: for (let index = 0; index < x.length; index++) if (x.charCodeAt(index) > 255) throw new TypeError(Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.);
  • dist/chunk1.js:3805 codepoint_decoder :: const code = url.charCodeAt(i);
  • dist/chunk1.js:3833 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • dist/chunk1.js:4363 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) return "failure";
  • dist/chunk1.js:4367 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4372 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) return "failure";
  • dist/chunk1.js:4376 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/chunk1.js:4472 codepoint_decoder :: if (position.position < input.length) if (input.charCodeAt(position.position) === 34) {
  • dist/chunk1.js:4476 codepoint_decoder :: assert$22(input.charCodeAt(position.position) === 44);
  • dist/chunk1.js:4799 codepoint_decoder :: for (let i = 0; i < chars.length; ++i) if ((chars.charCodeAt(i) & -128) !== 0) return false;
  • dist/chunk1.js:4810 codepoint_decoder :: const cp = boundary.charCodeAt(i);
  • dist/chunk1.js:9950 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j;

@hoffmang9 hoffmang9 merged commit 21e617d into main Jun 23, 2026
67 checks passed
@hoffmang9 hoffmang9 deleted the dependabot/github_actions/rust-lang/crates-io-auth-action-1.0.5 branch June 23, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant