Create "Trusted Publishing" database tables

Turbo87 · Turbo87 · commit 73782472ca01 · 2025-04-25T09:31:32.000+02:00
diff --git a/crates/crates_io_database/src/schema.patch b/crates/crates_io_database/src/schema.patch
@@ -1,6 +1,6 @@
 --- original
 +++ patched
-@@ -21,9 +21,7 @@
+@@ -14,9 +14,7 @@
      /// The `pg_catalog.tsvector` SQL type
      ///
      /// (Automatically generated by Diesel.)
@@ -11,7 +11,7 @@
  }
 
  diesel::table! {
-@@ -74,9 +72,9 @@
+@@ -67,9 +65,9 @@
          /// (Automatically generated by Diesel.)
          revoked -> Bool,
          /// NULL or an array of crate scope patterns (see RFC #2947)
@@ -23,7 +23,7 @@
          /// The `expired_at` column of the `api_tokens` table.
          ///
          /// Its SQL type is `Nullable<Timestamptz>`.
-@@ -180,12 +178,6 @@
+@@ -175,12 +173,6 @@
          ///
          /// (Automatically generated by Diesel.)
          created_at -> Timestamptz,
@@ -36,7 +36,7 @@
      }
  }
 
-@@ -476,7 +468,7 @@
+@@ -483,7 +475,7 @@
          /// Its SQL type is `Array<Nullable<Text>>`.
          ///
          /// (Automatically generated by Diesel.)
@@ -45,7 +45,7 @@
          /// The `target` column of the `dependencies` table.
          ///
          /// Its SQL type is `Nullable<Varchar>`.
-@@ -703,6 +695,24 @@
+@@ -748,6 +740,24 @@
  }
 
  diesel::table! {
@@ -70,7 +70,7 @@
      /// Representation of the `reserved_crate_names` table.
      ///
      /// (Automatically generated by Diesel.)
-@@ -1018,7 +1028,8 @@
+@@ -1094,7 +1104,8 @@
  diesel::joinable!(crate_downloads -> crates (crate_id));
  diesel::joinable!(crate_owner_invitations -> crates (crate_id));
  diesel::joinable!(crate_owners -> crates (crate_id));
@@ -80,19 +80,19 @@
  diesel::joinable!(crates_categories -> categories (category_id));
  diesel::joinable!(crates_categories -> crates (crate_id));
  diesel::joinable!(crates_keywords -> crates (crate_id));
-@@ -1031,6 +1042,7 @@
+@@ -1112,6 +1123,7 @@
  diesel::joinable!(publish_limit_buckets -> users (user_id));
  diesel::joinable!(publish_rate_overrides -> users (user_id));
  diesel::joinable!(readme_renderings -> versions (version_id));
 +diesel::joinable!(recent_crate_downloads -> crates (crate_id));
  diesel::joinable!(version_downloads -> versions (version_id));
  diesel::joinable!(version_owner_actions -> api_tokens (api_token_id));
  diesel::joinable!(version_owner_actions -> users (user_id));
-@@ -1058,6 +1070,7 @@
+@@ -1143,6 +1155,7 @@
      publish_limit_buckets,
      publish_rate_overrides,
      readme_renderings,
 +    recent_crate_downloads,
      reserved_crate_names,
      teams,
-     users,
+     used_oidc_jti,
diff --git a/crates/crates_io_database/src/schema.rs b/crates/crates_io_database/src/schema.rs
@@ -561,6 +561,28 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    /// Trusted Publisher OIDC configuration for GitHub Actions
+    github_oidc_configs (id) {
+        /// Unique identifier of the `github_oidc_configs` row
+        id -> Int4,
+        /// Unique identifier of the crate that this configuration is for
+        crate_id -> Int4,
+        /// GitHub user or organization that owns the repository
+        repository_owner -> Varchar,
+        /// Unique identifier of the user or organization that owns the repository
+        repository_owner_id -> Int4,
+        /// Name of the repository that this configuration is for
+        repository_name -> Varchar,
+        /// Name of the workflow file inside the repository that will be used to publish the crate
+        workflow_filename -> Varchar,
+        /// Optional publish environment that will be used to publish the crate
+        environment -> Nullable<Varchar>,
+        /// Date and time when the configuration was created
+        created_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     /// Representation of the `keywords` table.
     ///
@@ -607,6 +629,22 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    /// Temporary access tokens for OIDC-based publishing (aka. Trusted Publishing)
+    oidc_tokens (id) {
+        /// Unique identifier of the `oidc_tokens` row
+        id -> Int8,
+        /// Unique identifier of the crate that can be published using this token
+        crate_id -> Int4,
+        /// SHA256 hash of the token that can be used to publish the crate
+        hashed_token -> Bytea,
+        /// Date and time when the token was created
+        created_at -> Timestamptz,
+        /// Date and time when the token will expire
+        expires_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     /// List of all processed CDN log files, used to avoid processing the same file multiple times.
     processed_log_files (path) {
@@ -765,6 +803,20 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    /// Used OIDC JWT IDs to prevent token reuse
+    used_oidc_jti (id) {
+        /// Unique identifier of the `used_oidc_jti` row
+        id -> Int8,
+        /// JWT ID from the OIDC token
+        jti -> Varchar,
+        /// Date and time when the JWT was used
+        used_at -> Timestamptz,
+        /// Date and time when the JWT would expire
+        expires_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     /// Representation of the `users` table.
     ///
@@ -1066,6 +1118,8 @@ diesel::joinable!(dependencies -> versions (version_id));
 diesel::joinable!(emails -> users (user_id));
 diesel::joinable!(follows -> crates (crate_id));
 diesel::joinable!(follows -> users (user_id));
+diesel::joinable!(github_oidc_configs -> crates (crate_id));
+diesel::joinable!(oidc_tokens -> crates (crate_id));
 diesel::joinable!(publish_limit_buckets -> users (user_id));
 diesel::joinable!(publish_rate_overrides -> users (user_id));
 diesel::joinable!(readme_renderings -> versions (version_id));
@@ -1093,15 +1147,18 @@ diesel::allow_tables_to_appear_in_same_query!(
     dependencies,
     emails,
     follows,
+    github_oidc_configs,
     keywords,
     metadata,
+    oidc_tokens,
     processed_log_files,
     publish_limit_buckets,
     publish_rate_overrides,
     readme_renderings,
     recent_crate_downloads,
     reserved_crate_names,
     teams,
+    used_oidc_jti,
     users,
     version_downloads,
     version_owner_actions,
diff --git a/crates/crates_io_database_dump/src/dump-db.toml b/crates/crates_io_database_dump/src/dump-db.toml
@@ -148,6 +148,18 @@ token_generated_at = "private"
 user_id = "private"
 crate_id = "private"
 
+[github_oidc_configs]
+dependencies = ["crates"]
+[github_oidc_configs.columns]
+id = "private"
+crate_id = "private"
+repository_owner = "private"
+repository_owner_id = "private"
+repository_name = "private"
+workflow_filename = "private"
+environment = "private"
+created_at = "private"
+
 [keywords.columns]
 id = "public"
 keyword = "public"
@@ -157,6 +169,15 @@ created_at = "public"
 [metadata.columns]
 total_downloads = "public"
 
+[oidc_tokens]
+dependencies = ["crates"]
+[oidc_tokens.columns]
+id = "private"
+crate_id = "private"
+hashed_token = "private"
+created_at = "private"
+expires_at = "private"
+
 [processed_log_files.columns]
 path = "private"
 time = "private"
@@ -209,6 +230,12 @@ publish_notifications = "private"
 [users.column_defaults]
 gh_access_token = "''"
 
+[used_oidc_jti.columns]
+id = "private"
+jti = "private"
+used_at = "private"
+expires_at = "private"
+
 [version_downloads]
 dependencies = ["versions"]
 [version_downloads.columns]
diff --git a/migrations/2025-04-25-090000_trusted-publishing/down.sql b/migrations/2025-04-25-090000_trusted-publishing/down.sql
@@ -0,0 +1,3 @@
+drop table github_oidc_configs;
+drop table oidc_tokens;
+drop table used_oidc_jti;
diff --git a/migrations/2025-04-25-090000_trusted-publishing/up.sql b/migrations/2025-04-25-090000_trusted-publishing/up.sql
@@ -0,0 +1,64 @@
+create table github_oidc_configs
+(
+    id serial primary key,
+    created_at timestamptz not null default now(),
+    crate_id int not null references crates on delete cascade,
+    repository_owner varchar not null,
+    repository_owner_id int not null,
+    repository_name varchar not null,
+    workflow_filename varchar not null,
+    environment varchar
+);
+
+comment on table github_oidc_configs is 'Trusted Publisher OIDC configuration for GitHub Actions';
+comment on column github_oidc_configs.id is 'Unique identifier of the `github_oidc_configs` row';
+comment on column github_oidc_configs.created_at is 'Date and time when the configuration was created';
+comment on column github_oidc_configs.crate_id is 'Unique identifier of the crate that this configuration is for';
+comment on column github_oidc_configs.repository_owner is 'GitHub name of the user or organization that owns the repository';
+comment on column github_oidc_configs.repository_owner_id is 'GitHub ID of the user or organization that owns the repository';
+comment on column github_oidc_configs.repository_name is 'Name of the repository that this configuration is for';
+comment on column github_oidc_configs.workflow_filename is 'Name of the workflow file inside the repository that will be used to publish the crate';
+comment on column github_oidc_configs.environment is 'GitHub Actions environment that will be used to publish the crate (if `NULL` the environment is unrestricted)';
+
+create index github_oidc_configs_repository_owner_id_repository_name_index
+    on github_oidc_configs (repository_owner_id, repository_name);
+
+-------------------------------------------------------------------------------
+
+create table oidc_tokens
+(
+    id bigserial primary key,
+    created_at timestamptz not null default now(),
+    crate_id int not null references crates on delete cascade,
+    hashed_token bytea not null,
+    expires_at timestamptz not null
+);
+
+comment on table oidc_tokens is 'Temporary access tokens for OIDC-based publishing (aka. Trusted Publishing)';
+comment on column oidc_tokens.id is 'Unique identifier of the `oidc_tokens` row';
+comment on column oidc_tokens.created_at is 'Date and time when the token was created';
+comment on column oidc_tokens.crate_id is 'Unique identifier of the crate that can be published using this token';
+comment on column oidc_tokens.hashed_token is 'SHA256 hash of the token that can be used to publish the crate';
+comment on column oidc_tokens.expires_at is 'Date and time when the token will expire';
+
+create unique index oidc_tokens_crate_id_hashed_token_uindex
+    on oidc_tokens (crate_id, hashed_token);
+
+-------------------------------------------------------------------------------
+
+create table used_oidc_jti
+(
+    id bigserial primary key,
+    jti varchar not null,
+    used_at timestamptz not null default now(),
+    expires_at timestamptz not null
+);
+
+comment on table used_oidc_jti is 'Used OIDC JWT IDs to prevent token reuse';
+comment on column used_oidc_jti.id is 'Unique identifier of the `used_oidc_jti` row';
+comment on column used_oidc_jti.jti is 'JWT ID from the OIDC token';
+comment on column used_oidc_jti.used_at is 'Date and time when the JWT was used';
+comment on column used_oidc_jti.expires_at is 'Date and time when the JWT would expire';
+
+create unique index used_oidc_jti_jti_uindex
+    on used_oidc_jti (jti);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+drop table github_oidc_configs;`
	`2`	`+drop table oidc_tokens;`
	`3`	`+drop table used_oidc_jti;`