{"id":13998572,"url":"https://github.com/katyo/publish-crates","last_synced_at":"2026-02-25T13:34:16.571Z","repository":{"id":37088958,"uuid":"298865777","full_name":"katyo/publish-crates","owner":"katyo","description":"GitHub action to get easy publishing of Rust crates","archived":false,"fork":false,"pushed_at":"2025-01-14T15:01:33.000Z","size":2008,"stargazers_count":77,"open_issues_count":17,"forks_count":22,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-29T15:40:49.419Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/katyo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-26T17:30:33.000Z","updated_at":"2025-04-15T07:32:34.000Z","dependencies_parsed_at":"2024-02-25T08:25:38.773Z","dependency_job_id":"9677d64a-7a4d-4a3a-b219-a934d927559a","html_url":"https://github.com/katyo/publish-crates","commit_stats":{"total_commits":322,"total_committers":12,"mean_commits":"26.833333333333332","dds":"0.26708074534161486","last_synced_commit":"93732b1aad8551d028a5b440f133c4c6ce28fe48"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":"actions/typescript-action","purl":"pkg:github/katyo/publish-crates","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/katyo%2Fpublish-crates","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/katyo%2Fpublish-crates/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/katyo%2Fpublish-crates/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/katyo%2Fpublish-crates/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/katyo","download_url":"https://codeload.github.com/katyo/publish-crates/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/katyo%2Fpublish-crates/sbom","scorecard":{"id":551755,"data":{"date":"2025-08-11","repo":{"name":"github.com/katyo/publish-crates","commit":"5e67639f17e8a1f221e804c2bd47f7a253e45dac"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":3,"reason":"Found 10/26 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:31","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/katyo/publish-crates/test.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/test.yml:16","Info:   0 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 1 commits out of 15 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"13 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672","Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T11:04:59.390Z","repository_id":37088958,"created_at":"2025-08-20T11:04:59.390Z","updated_at":"2025-08-20T11:04:59.390Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271441612,"owners_count":24760343,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T19:01:47.299Z","updated_at":"2026-02-25T13:34:16.503Z","avatar_url":"https://github.com/katyo.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"[![License: MIT](https://img.shields.io/badge/License-MIT-brightgreen.svg)](https://opensource.org/licenses/MIT)\n[![CI Status](https://github.com/katyo/publish-crates/workflows/build-test/badge.svg)](https://github.com/katyo/publish-crates/actions)\n\n# Publish Rust crates using GitHub Actions\n\nThe action is using [`cargo metadata`](https://doc.rust-lang.org/cargo/commands/cargo-metadata.html) with format version\n`1` to collect the information about crates and workspace.\n\n## Features\n\n- Reads manifests to get info about crates and dependencies\n- Checks versions of external dependencies to be exists in registry\n- Checks matching paths and versions of internal dependencies\n- Checks that no changes happened since published release when version of internal dependency is not changed\n- Skips publishing of internal dependencies which does not updated\n- Publishes updated crates in right order according to dependencies\n- Awaits when published crate will be available in registry before publishing crates which depends from it\n- Works fine in workspaces without cyclic dependencies\n- Support `{ workspace = true }` syntax in the `Cargo.toml`. [This](https://rust-lang.github.io/rfcs/2906-cargo-workspace-deduplicate.html)\n  feature was stabilized in Rust 1.64.\n\n## Unimplemented features\n\n- Support different registries than [crates.io](https://crates.io/)\n\n## Inputs\n\n- `token` GitHub API token (`github.token` by default)\n- `path` Sets path to crate or workspace ('.' by default)\n- `args` Extra arguments for `cargo publish` command\n- `registry-token` Cargo registry token (not used when `dry-run: true`)\n- `dry-run` Set to `true` to bypass exec `cargo publish`\n- `check-repo` Set to `false` to bypass check local packages for modifications since last published version\n- `publish-delay` Optional delay in milliseconds applied after publishing each package before publishing others\n- `no-verify` Set to `true` to bypass cyclic dependency detection and cargo packaging verification (uses `--no-verify`)\n- `ignore-unpublished-changes` Set to `true` to exit the workflow gracefully if package does not have a new version to publish\n\nEach local package (workspace member) potentially may be modified since last published version without\ncorresponding version bump. This situation is dangerous and should be prevented. In order to do it this\naction uses GitHub API to get date of latest commit which modified contents by path of corresponding package.\nThis date compares with date of last published version of that package. When option `check-repo` set to `true`\n(which is by default) this action will throw error in case when last commit date cannot be determined.\nThis happenned in case of detached refs (like pull requests). Usually you should never publish packages via\npull-requests so you may simply disable this action for run in such cases (via `if` expression as example).\nWhen you want to run action (say with `dry-run` set to `true`) prevent failing you may simply set `check-repo`\nto `false` too.\n\n**NOTE**: You should avoid setting both `check-repo` and `dry-run` to `false`.\n\nUsually you don't need to set `publish-delay` because this action check availability of previously published\npackages before publishing other but in some cases it may help work around __crates.io__ inconsistency\nproblems.\n\n## Outputs\n\n- `published` JSON formatted string with published crates as array of objects with `name` and `version` fields.\n\nYou may want to use it with [`fromJSON`][fromJSON] function and object filters syntax\n[1][object filters-join], [2][object filters-contains].\n\n__This works whether \"dry-run\" is enabled or not.__\nThat means that when `dry-run: true` you will get packages that could have been published.\n\n[fromJSON]: https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson\n[object filters-join]: https://docs.github.com/en/actions/learn-github-actions/expressions#example-of-join\n[object filters-contains]: https://docs.github.com/en/actions/learn-github-actions/expressions#example-using-an-object-filter\n\n## Usage examples\n\nBasic usage (`Cargo.toml` sits in repository root):\n\n```yaml\nsteps:\n    - uses: actions/checkout@v3\n    - uses: actions-rs/toolchain@v1\n      with:\n          toolchain: stable\n          override: true\n    - uses: katyo/publish-crates@v2\n      with:\n          registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}\n```\n\nAdvanced usage (`Cargo.toml` sits in 'packages' subdir, and you would like to skip verification and bypass real publishing):\n\n```yaml\nsteps:\n    - uses: actions/checkout@v3\n    - uses: actions-rs/toolchain@v1\n      with:\n          toolchain: stable\n          override: true\n    - uses: katyo/publish-crates@v2\n      with:\n          path: './packages'\n          args: --no-verify\n          dry-run: true\n```\n\nDo all checks in both push and pull requests, but only publish on push:\n\n```yaml\nsteps:\n    - uses: actions/checkout@v3\n    - uses: actions-rs/toolchain@v1\n      with:\n          toolchain: stable\n          override: true\n    - uses: katyo/publish-crates@v2\n      with:\n          dry-run: ${{ github.event_name != 'push' }}\n```\n\nPrevent failing when there is no new version to publish:\n\n```yaml\nsteps:\n    - uses: actions/checkout@v3\n    - uses: actions-rs/toolchain@v1\n      with:\n          toolchain: stable\n          override: true\n    - uses: katyo/publish-crates@v2\n      with:\n          registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}\n          ignore-unpublished-changes: true\n```\n\nOutput usage:\n\n```yaml\n    - uses: katyo/publish-crates@v2\n      id: publish-crates\n      with:\n          registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}\n\n    - name: if my-crate published\n          if: fromJSON(steps.publish-crates.outputs.published).*\n          run: |\n            LIST=\"${{ join(fromJSON(steps.publish-crates.outputs.published).*.name, ', ') }}\"\n            echo \"Published crates: $LIST\"\n```\n**NOTE**: This is also works if `dry-run` is enabled. It explained in [Outputs](#outputs).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkatyo%2Fpublish-crates","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkatyo%2Fpublish-crates","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkatyo%2Fpublish-crates/lists"}