Tracking Issue for "Trusted Publishing Support"

[Turbo87]

This is a tracking issue for the RFC "crates.io: Trusted Publishing Support" (rust-lang/rfcs#3691).

About tracking issues

Tracking issues are used to record the overall progress of implementation.
They are also used as hubs connecting to other relevant issues, e.g., bugs or open design questions.
A tracking issue is however not meant for large scale discussion, questions, or bug reports about a feature.
Instead, open a dedicated issue for the specific matter and add the relevant feature gate label.
Discussion comments will get marked as off-topic or deleted.
Repeated discussions on the tracking issue may lead to the tracking issue getting locked.

Steps

• Implement backend support in crates.io
  • Add database table for (GitHub Actions) trusted publishing configs (Create "Trusted Publishing" database tables #11062)
  • Implement API endpoint to create trusted publishing config (incl. email notification) (Add PUT /api/v1/trusted_publishing/github_configs API endpoint #11113)
  • Implement API endpoint to delete trusted publishing config (incl. email notification) (Add DELETE /api/v1/trusted_publishing/github_configs/{id} API endpoint #11209)
  • Implement API endpoint to list trusted publishing configs (Add GET /api/v1/trusted_publishing/github_configs API endpoint #11230)
  • Add database table for temporary access tokens (Create "Trusted Publishing" database tables #11062)
  • Add database table for used OIDC token IDs (Create "Trusted Publishing" database tables #11062)
  • Implement API endpoint to exchange GHA OIDC token for temporary access token (Add PUT /api/v1/trusted_publishing/tokens API endpoint #11131)
  • Adjust exchange API endpoint to save used OIDC token IDs and reject replays (Add PUT /api/v1/trusted_publishing/tokens API endpoint #11131)
  • Implement API endpoint to revoke temporary access token (Add DELETE /api/v1/trusted_publishing/tokens API endpoint #11234)
  • Adjust publish API endpoint to accept temporary access tokens
  • Implement regular background job to delete expired temporary access tokens and OIDC token IDs (Add trustpub::DeleteExpiredJtis/Tokens background jobs #11222)
  • Adjust GitHub Secret Scanning endpoints to work with temporary access tokens too
• Implement frontend UI in crates.io
  • Implement route to list trusted publishing configs
  • Implement route to create trusted publishing config
  • Implement button to delete trusted publishing config
• Implement GitHub Action

Unresolved Questions

None? (see https://rust-lang.github.io/rfcs/3691-trusted-publishing-cratesio.html#unresolved-questions)