jobs/index/archive: Authenticate archive push via GitHub App

The index SSH key used in production is a deploy key for the index
repository, so it cannot push to the separate archive repository.
Instead of minting a second SSH key plus user account with access to
both repos, we registered a GitHub App scoped to both the index and
archive repos. This job is the first consumer; the remaining
index-writing jobs may switch from the deploy key to the app later.

Mints an installation access token from `env.github_app` after
fetching the snapshot branch, then pushes `FETCH_HEAD` to the archive
repository over HTTPS via a temporary `archive` remote carrying
`x-access-token` credentials. For URL schemes that do not accept
userinfo (e.g. `file://` in tests), the job logs a warning and falls
back to pushing without credentials.

Fails loudly when `index_archive_url` is set but no GitHub App is
configured, so a misconfigured worker does not silently skip the push.

Author: Turbo87

src/config/server.rs

@@ -138,8 +138,10 @@ impl Server {
     ///   by an operator (e.g. `/crates/{crate_id}/{version}/download`).
     /// - `DISABLE_TOKEN_CREATION`: If set to any non-empty value, disables API token creation
     ///   and uses the value as the error message returned to users.
-    /// - `GIT_ARCHIVE_REPO_URL`: URL of a git repository to mirror the crate index's snapshot
-    ///   branches to. If unset the `ArchiveIndexBranch` background job is a no-op.
+    /// - `GIT_ARCHIVE_REPO_URL`: HTTPS URL (e.g. `https://github.com/<org>/<repo>.git`) of a git
+    ///   repository to mirror the crate index's snapshot branches to. Must be HTTPS because the
+    ///   `ArchiveIndexBranch` job authenticates via a GitHub App installation token; SSH remotes
+    ///   are not supported. If unset the job is a no-op.
     ///
     /// # Panics
     ///

src/tests/worker/archive_index_branch.rs

@@ -57,6 +57,33 @@ async fn archive_index_branch_without_url_configured() {
     app.run_pending_background_jobs().await;
 }
 
+/// With an archive URL configured but no GitHub App wired into the
+/// environment, the job should fail loudly rather than push without
+/// authentication.
+#[tokio::test(flavor = "multi_thread")]
+async fn archive_index_branch_without_github_app() {
+    let archive = UpstreamIndex::new().unwrap();
+    let archive_url = archive.url();
+
+    let (app, _) = TestApp::full()
+        .with_config(|c| c.index_archive_url = Some(archive_url))
+        .with_github_app(None)
+        .empty()
+        .await;
+
+    let mut conn = app.db_conn().await;
+    seed_snapshot_branch(app.upstream_index());
+
+    let job = jobs::ArchiveIndexBranch::new(SNAPSHOT_BRANCH);
+    assert_ok!(job.enqueue(&conn).await);
+    assert_snapshot!(app.try_run_pending_background_jobs().await.unwrap_err(), @"1 jobs failed");
+
+    diesel::delete(background_jobs::table)
+        .execute(&mut conn)
+        .await
+        .unwrap();
+}
+
 /// If the requested branch does not exist on origin, the job should fail so
 /// that an operator typo or a stale enqueue produces loud feedback rather
 /// than a silent success.

src/worker/jobs/index/archive.rs

@@ -1,10 +1,15 @@
 use crate::tasks::spawn_blocking;
 use crate::worker::Environment;
+use anyhow::anyhow;
 use crates_io_worker::BackgroundJob;
+use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
 use std::process::Command;
 use std::sync::Arc;
-use tracing::{info, instrument};
+use tracing::{info, instrument, warn};
+use url::Url;
+
+const REMOTE_NAME: &str = "archive";
 
 #[derive(Serialize, Deserialize)]
 pub struct ArchiveIndexBranch {
@@ -35,17 +40,36 @@ impl BackgroundJob for ArchiveIndexBranch {
             return Ok(());
         };
 
+        let Some(github_app) = env.github_app.as_ref() else {
+            return Err(anyhow!(
+                "`index_archive_url` is set but GitHub App is not configured"
+            ));
+        };
+        let github_app = github_app.clone();
+
         info!(%archive_url, "Pushing snapshot to archive repository");
 
         let branch = self.branch.clone();
+        let handle = tokio::runtime::Handle::current();
+
         spawn_blocking(move || {
             let repo = env.lock_index()?;
 
             repo.run_command(Command::new("git").args(["fetch", "origin", &branch]))?;
 
+            let token = handle.block_on(github_app.installation_token())?;
+            let push_url = match build_credentialed_url(&archive_url, token.expose_secret()) {
+                Ok(url) => url,
+                Err(()) => {
+                    warn!(%archive_url, "Archive URL does not support credentials; pushing without auth");
+                    archive_url.clone()
+                }
+            };
+
+            let _remote = repo.add_temporary_remote(REMOTE_NAME, &push_url)?;
             repo.run_command(Command::new("git").args([
                 "push",
-                archive_url.as_str(),
+                REMOTE_NAME,
                 &format!("FETCH_HEAD:refs/heads/{branch}"),
             ]))?;
 
@@ -55,3 +79,33 @@ impl BackgroundJob for ArchiveIndexBranch {
         .await?
     }
 }
+
+/// Return a copy of `base` with `x-access-token` / `token` embedded as the
+/// HTTPS credentials git consumes when pushing. Returns `Err(())` when the
+/// URL scheme does not allow userinfo (e.g. `file://`).
+fn build_credentialed_url(base: &Url, token: &str) -> Result<Url, ()> {
+    let mut url = base.clone();
+    url.set_username("x-access-token")?;
+    url.set_password(Some(token))?;
+    Ok(url)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use claims::assert_err;
+    use insta::assert_snapshot;
+
+    #[test]
+    fn build_credentialed_url_https() {
+        let url: Url = "https://github.com/rust-lang/archive.git".parse().unwrap();
+        let credentialed = build_credentialed_url(&url, "tok").unwrap();
+        assert_snapshot!(credentialed, @"https://x-access-token:tok@github.com/rust-lang/archive.git");
+    }
+
+    #[test]
+    fn build_credentialed_url_file_rejected() {
+        let url: Url = "file:///tmp/archive".parse().unwrap();
+        assert_err!(build_credentialed_url(&url, "tok"));
+    }
+}