Crates.io Implements Trusted Publishing Support

The Rust ecosystem’s central package registry just got a major security upgrade: crates.io now officially supports Trusted Publishing, a more secure CI/CD authentication method that eliminates the need for long-lived API tokens.

Crates.io has become one of the most active and high-volume package registries in open source. As of July 2025, it hosts more than 189,000 crates and has served over 151 billion downloads. With such a massive volume of developer activity, and a growing number of automated publishing pipelines, ensuring secure authentication has become essential.

Trusted Publishing replaces manually managed credentials with short-lived tokens issued via OpenID Connect (OIDC), allowing trusted GitHub repositories to request ephemeral publishing tokens from crates.io during CI workflows. This eliminates the need to store permanent secrets in GitHub Actions.

“Trusted Publishing eliminates the need for GitHub Actions secrets when publishing crates from your CI/CD pipeline,” wrote Tobias Bieniek, on behalf of the crates.io team. “We have built it in a way that allows other CI/CD providers like GitLab CI to be supported in the future.”

A Better Default for Secure Publishing#

The traditional approach to publishing Rust crates required maintainers to create long-lived API tokens, often copied manually into CI environments. This came with several inherent risks:

• Tokens had no expiration and could be reused indefinitely
• They were valid from any source once leaked
• Manual setup made automation error-prone
• Revocation had to be done manually if tokens were compromised

Rust learned this lesson the hard way. In 2020, a security incident involving token storage on crates.io forced the team to revoke all existing tokens after discovering that API keys were stored in plaintext. While this was fixed swiftly, the incident highlighted the fragility of relying on long-lived credentials.

Trusted Publishing eliminates these issues by using short-lived tokens that are scoped, issued only from a trusted CI/CD environment, and automatically expire after use. As seen in other ecosystems like PyPI, this shift significantly lowers the risk of credential compromise.

To configure Trusted Publishing, crate maintainers must first publish a release manually, then link their GitHub repository in the crates.io UI. Subsequent releases can be published directly from GitHub Actions using the crates-io-auth-action. Detailed setup instructions are available at crates.io/docs/trusted-publishing.

Adoption Across the Open Source Ecosystem#

Rust joins a growing list of ecosystems adopting Trusted Publishing. PyPI introduced the model in 2023 and now has over 16,000 projects using it. RubyGems followed later that year, and Dart’s pub.dev has also implemented a similar flow.

According to the "Are we PEP 740 yet?" tracking tool, 86 of the top 360 most-downloaded packages on PyPI have been uploaded with attestations, which are built on top of Sigstore and use short-lived signing keys bound to trusted identities (like Trusted Publishers). This number is up 309% from 21 in November 2024.

The OpenSSF Securing Software Repositories Working Group has endorsed this approach and published a detailed guide to help package registries adopt it. Benefits include:

• Ephemeral credentials that automatically expire
• No more shared secrets in CI environments
• The repository becomes the source of truth for releases
• Easier transitions when maintainers change

Rust’s implementation currently supports GitHub Actions, with planned expansion to GitLab, CircleCI, and other CI/CD platforms in the future.

Other Enhancements on Crates.io#

Trusted Publishing isn’t the only recent improvement to crates.io. The latest development update also includes:

• Dynamic OpenGraph images for each crate, showing metadata like version, license, keywords, and crate size
• One-click docs.rs rebuilds from the crate version list
• GitHub-style alert blocks (NOTE, WARNING, CAUTION) now rendered in crate README files
• Refactored email templating system using minijinja, with HTML support coming soon
• SemVer sorting optimizations using PostgreSQL JSONB indexing for better performance

As software supply chain attacks grow more frequent and sophisticated, the burden of security cannot rest on individual developers alone. Trusted Publishing offers a scalable, standards-based solution that makes strong security easier to adopt. With PyPI, RubyGems, pub.dev, and now crates.io on board, the model is proving both technically sound and broadly adoptable.