jobs/index/archive: Authenticate archive push via GitHub App#13489
Merged
Turbo87 merged 5 commits intorust-lang:mainfrom Apr 27, 2026
Merged
jobs/index/archive: Authenticate archive push via GitHub App#13489Turbo87 merged 5 commits intorust-lang:mainfrom
Turbo87 merged 5 commits intorust-lang:mainfrom
Conversation
Member
Author
|
Note that I've tested this with https://github.com/rust-lang/staging.crates.io-index and https://github.com/rust-lang/staging.crates.io-index-archive and after an initial hickup (see below), everything worked as intended. The hickup was this: Apparently GitHub Apps are not allowed to push anything that changes GitHub Actions workflows, and since the index currently contained a workflow, but the archive didnt, the push failed. I've removed the workflow from the staging index and then it worked. The workflow isn't particularly helpful anymore anyway, since it only updates the |
Turbo87
force-pushed
the
archive-github-app-auth
branch
2 times, most recently
from
89dfb49 to
29ec4ed
Compare
Turbo87
force-pushed
the
archive-github-app-auth
branch
from
29ec4ed to
803015d
Compare
This comment has been minimized.
This comment has been minimized.
LawnGnome
approved these changes
Apr 27, 2026
Returns a `TemporaryRemote` RAII guard that removes the registered remote on drop. Any pre-existing remote with the same name is cleared first so a crash in a prior job does not block setup.
New workspace crate that mints installation access tokens for a GitHub App. Signs a short-lived RS256 JWT with the app's private key, resolves the org's installation id once, and caches the minted access token until shortly before expiry. The `GitHubApp` trait abstracts the HTTP interaction for testing; a `MockGitHubApp` is generated behind the `mock` feature. Not wired into the rest of the workspace yet.
Adds a `github_app: Option<Box<dyn GitHubApp>>` field to `Environment` and populates it from `background-worker.rs` startup. When `GIT_ARCHIVE_REPO_URL` is set, both `GH_INDEX_SYNC_APP_CLIENT_ID` and `GH_INDEX_SYNC_APP_PRIVATE_KEY` must also be present; the org is parsed from the archive URL's first path segment and a `GitHubAppClient` is built from those inputs. When the archive URL is unset, `github_app` stays `None` and no credentials are required.
Adds a default `MockGitHubApp` to `TestAppBuilder` with a canned `installation_token` expectation, plus `with_github_app` for tests that need to override it (including clearing it via `None` to exercise the misconfig path).
The index SSH key used in production is a deploy key for the index repository, so it cannot push to the separate archive repository. Instead of minting a second SSH key plus user account with access to both repos, we registered a GitHub App scoped to both the index and archive repos. This job is the first consumer; the remaining index-writing jobs may switch from the deploy key to the app later. Mints an installation access token from `env.github_app` after fetching the snapshot branch, then pushes `FETCH_HEAD` to the archive repository over HTTPS via a temporary `archive` remote carrying `x-access-token` credentials. For URL schemes that do not accept userinfo (e.g. `file://` in tests), the job logs a warning and falls back to pushing without credentials. Fails loudly when `index_archive_url` is set but no GitHub App is configured, so a misconfigured worker does not silently skip the push.
Turbo87
force-pushed
the
archive-github-app-auth
branch
from
803015d to
78fae34
Compare
Collaborator
|
This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
Turbo87
added
the
C-internal 🔧
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The index SSH key used in production is a deploy key for the index repository, so it cannot push to the separate archive repository. Instead of minting a second SSH key plus user account with access to both repos, we registered a GitHub App scoped to both the index and archive repos. This job is the first consumer; the remaining index-writing jobs may switch from the deploy key to the app later.
Mints an installation access token from
GH_INDEX_SYNC_APP_CLIENT_IDandGH_INDEX_SYNC_APP_PRIVATE_KEYafter fetching the snapshot branch, then pushesFETCH_HEADto the archive repository over HTTPS via a temporaryarchiveremote carryingx-access-tokencredentials. For URL schemes that do not accept userinfo (e.g.file://in tests), the job logs a warning and falls back to pushing without credentials.Fails loudly when
index_archive_urlis set but no GitHub App is configured, so a misconfigured worker does not silently skip the push.Related
ArchiveIndexBranchbackground job #13472