Only allow rust-lang-owner as the user owner

Kobzol · Kobzol · commit cb950458fbb7 · 2025-12-04T15:33:34.000+01:00
diff --git a/sync-team/src/crates_io/api.rs b/sync-team/src/crates_io/api.rs
@@ -60,6 +60,49 @@ impl CratesIoApi {
         Ok(response.github_configs)
     }
 
+    /// List owners of a given crate.
+    pub(crate) fn list_crate_owners(&self, krate: &str) -> anyhow::Result<Vec<CratesIoOwner>> {
+        #[derive(serde::Deserialize)]
+        struct OwnersResponse {
+            users: Vec<CratesIoOwner>,
+        }
+
+        let response: OwnersResponse = self
+            .req::<()>(
+                reqwest::Method::GET,
+                &format!("/crates/{krate}/owners"),
+                None,
+            )?
+            .error_for_status()?
+            .json_annotated()?;
+
+        Ok(response.users)
+    }
+
+    /// Delete the specified owner(s) of a given crate.
+    pub(crate) fn delete_crate_owners(
+        &self,
+        krate: &str,
+        owners: &[CratesIoOwner],
+    ) -> anyhow::Result<()> {
+        #[derive(serde::Serialize)]
+        struct DeleteOwnersRequest<'a> {
+            owners: &'a [&'a str],
+        }
+
+        let owners = owners.iter().map(|o| o.login.as_str()).collect::<Vec<_>>();
+
+        self.req(
+            reqwest::Method::DELETE,
+            &format!("/crates/{krate}/owners"),
+            Some(&DeleteOwnersRequest { owners: &owners }),
+        )?
+        .error_for_status()
+        .with_context(|| anyhow::anyhow!("Cannot delete owner(s) {owners:?} from krate {krate}"))?;
+
+        Ok(())
+    }
+
     /// Create a new trusted publishing configuration for a given crate.
     pub(crate) fn create_trusted_publishing_github_config(
         &self,
@@ -227,3 +270,16 @@ pub(crate) struct CratesIoCrate {
     #[serde(rename = "trustpub_only")]
     pub(crate) trusted_publishing_only: bool,
 }
+
+#[derive(serde::Deserialize, Debug)]
+#[serde(rename_all = "kebab-case")]
+pub(crate) enum OwnerKind {
+    User,
+    Team,
+}
+
+#[derive(serde::Deserialize, Debug)]
+pub(crate) struct CratesIoOwner {
+    pub(crate) login: String,
+    pub(crate) kind: OwnerKind,
+}
diff --git a/sync-team/src/crates_io/mod.rs b/sync-team/src/crates_io/mod.rs
@@ -3,7 +3,7 @@ mod api;
 use crate::team_api::TeamApi;
 use std::cmp::Ordering;
 
-use crate::crates_io::api::{CratesIoApi, TrustedPublishingGitHubConfig};
+use crate::crates_io::api::{CratesIoApi, CratesIoOwner, OwnerKind, TrustedPublishingGitHubConfig};
 use anyhow::Context;
 use secrecy::SecretString;
 use std::collections::BTreeMap;
@@ -78,6 +78,7 @@ impl SyncCratesIo {
 
         // Note: we currently only support one trusted publishing configuration per crate
         for (krate, desired) in &self.crates {
+            // Sync trusted publishing configs
             let mut configs = self
                 .crates_io_api
                 .list_trusted_publishing_github_configs(&krate.0)
@@ -113,6 +114,7 @@ impl SyncCratesIo {
             // Non-matching configs should be deleted
             config_diffs.extend(configs.into_iter().map(ConfigDiff::Delete));
 
+            // Sync "trusted publishing only" crate option
             let trusted_publish_only_expected = desired.trusted_publishing_only;
             let crates_io_crate = self
                 .crates_io_api
@@ -124,11 +126,28 @@ impl SyncCratesIo {
                     value: trusted_publish_only_expected,
                 });
             }
+
+            // Sync crate owners
+            let owners = self
+                .crates_io_api
+                .list_crate_owners(&krate.0)
+                .with_context(|| anyhow::anyhow!("Cannot list crate owners of {krate}"))?;
+            // Make sure that the only user owner is `rust-lang-owner`
+            let user_owners = owners
+                .into_iter()
+                .filter(|owner| match owner.kind {
+                    OwnerKind::User => owner.login != "rust-lang-owner",
+                    OwnerKind::Team => false,
+                })
+                .collect::<Vec<_>>();
+            crate_diffs.push(CrateDiff::RemoveOwners {
+                krate: krate.to_string(),
+                owners: user_owners,
+            })
         }
 
         // We want to apply deletions first, and only then create new configs, to ensure that we
-        // don't try to create a duplicate config where e.g. only the environment differs, which
-        // would be an error in crates.io.
+        // don't try to create a duplicate config where e.g. only the environment differs.
         config_diffs.sort_by(|a, b| match &(a, b) {
             (ConfigDiff::Delete(_), ConfigDiff::Create(_)) => Ordering::Less,
             (ConfigDiff::Create(_), ConfigDiff::Delete(_)) => Ordering::Greater,
@@ -237,7 +256,14 @@ impl std::fmt::Display for ConfigDiff {
 }
 
 enum CrateDiff {
-    SetTrustedPublishingOnly { krate: String, value: bool },
+    SetTrustedPublishingOnly {
+        krate: String,
+        value: bool,
+    },
+    RemoveOwners {
+        krate: String,
+        owners: Vec<CratesIoOwner>,
+    },
 }
 
 impl CrateDiff {
@@ -246,6 +272,9 @@ impl CrateDiff {
             Self::SetTrustedPublishingOnly { krate, value } => sync
                 .crates_io_api
                 .set_trusted_publishing_only(krate, *value),
+            CrateDiff::RemoveOwners { krate, owners } => {
+                sync.crates_io_api.delete_crate_owners(krate, owners)
+            }
         }
     }
 }
@@ -259,6 +288,9 @@ impl std::fmt::Display for CrateDiff {
                     "  Setting trusted publishing only option for krate `{krate}` to `{value}`",
                 )?;
             }
+            CrateDiff::RemoveOwners { krate, owners } => {
+                writeln!(f, "  Removing owner(s) `{owners:?}` from krate `{krate}`")?;
+            }
         }
         Ok(())
     }
