Skip to content

feat (publish): deprecate --token option #16046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 4, 2025
Merged

feat (publish): deprecate --token option #16046

merged 4 commits into from
Oct 4, 2025

Conversation

omskscream
Copy link
Contributor

@omskscream omskscream commented Oct 4, 2025
edited
Loading

What does this PR try to resolve?

Closes #15274
This PR adds a warning when --token option is used with cargo publish command.
This PR removes --token from help and docs for publish command.

There's an --index option that still requires --token to be specified, but addressing that is not the part of this PR.

How to test and review this PR?

Please check changed test cases to see how behavior changes.

@rustbot
Copy link
Collaborator

rustbot commented Oct 4, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-cli Area: Command-line interface, option parsing, etc. A-cli-help Area: built-in command-line help A-documenting-cargo-itself Area: Cargo's documentation Command-publish S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Oct 4, 2025
@omskscream omskscream force-pushed the publish/deprecate-token branch from b72c7a4 to 30a29b4 Compare October 4, 2025 10:47
weihanglo
weihanglo reviewed Oct 4, 2025
View reviewed changes
src/bin/cargo/commands/publish.rs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we also want to update our test

cargo/tests/testsuite/publish.rs

Line 208 in 029de48

p.cargo("publish --no-verify --token sekrit --registry dummy-registry")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was under impression that this test checks something specific to the cmd option, so wasn't sure about changing it except for adding a warning message 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, it is fine keeping as-is.

src/doc/src/commands/cargo-publish.md Outdated
This command requires you to be authenticated with either the `--token` option
or using [cargo-login(1)](cargo-login.html).
This command requires you to be authenticated using [cargo-login(1)](cargo-login.html)
or [environment variables](../reference/environment-variables.html).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably instead of pointing to the entire env doc, we make the link a bit precise to relevant config fields. What do you think?

Suggested change
or [environment variables](../reference/environment-variables.html).
or environment variables of the [`registry.token`](../reference/config.html#registrytoken)
and [`registries.<name>.token`](../reference/config.html#registriesnametoken) config fields.

Though I am still wanting something similar to this happening: https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/Anchors.20for.20each.20environment.20variable.20in.20The.20Cargo.20Book

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps related:

Can be overridden with the --token command-line option.

This in both registry.token and registries.<name>.token doc might need to remove

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the edit, I missed the fact that config page has direct mentions of env variables with links 😥

As for

This in both registry.token and registries..token doc might need to remove

I would not do it in this PR, because --token is still used in yank and owner commands. Let's postpone it until the deprecation is done in all places.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is fair. Thank you!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created an issue tracking it: #16049

@weihanglo weihanglo enabled auto-merge October 4, 2025 15:45
@weihanglo weihanglo mentioned this pull request Oct 4, 2025
Open
weihanglo
weihanglo reviewed Oct 4, 2025
View reviewed changes
src/bin/cargo/commands/publish.rs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I overlooked in completion code we also want to hide --token

Fine with either dealing with it in this or a follow-up

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, thanks for reminder. I, as a Windows user, haven't even thought of autocomplete 😅

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have unstable native completion support also for powershell, if you're a user and wanna try: https://doc.rust-lang.org/cargo/reference/unstable.html#native-completions

auto-merge was automatically disabled October 4, 2025 16:36

Head branch was pushed to by a user without write access

@rustbot rustbot added the A-completions Area: shell completions label Oct 4, 2025
@weihanglo weihanglo enabled auto-merge October 4, 2025 16:45
@weihanglo weihanglo added this pull request to the merge queue Oct 4, 2025
Merged via the queue into rust-lang:master with commit 8a8ef3e Oct 4, 2025
25 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Oct 4, 2025
@weihanglo weihanglo mentioned this pull request Oct 10, 2025
Merged
bors added a commit to rust-lang/rust that referenced this pull request Oct 10, 2025
@bors
Auto merge of #147568 - weihanglo:update-cargo, r=weihanglo
bd928c9 
Update cargo submodule

22 commits in 801d9b4981dd07e3aecdca1ab86834c13615737e..81c3f77a467359c8be6bc747dc93ec66a6e4ce11
2025-10-04 13:30:15 +0000 to 2025-10-10 18:41:02 +0000
- docs(changelog): literal host-tuple support (rust-lang/cargo#16033)
- refactor: Define cargo script's target-dir using build-dir templating (rust-lang/cargo#16073)
- feat(build-dir): Reorganize build-dir layout (rust-lang/cargo#15947)
- refactor: unflatten `(String, Def)` to `ConfigValue` (rust-lang/cargo#16084)
- fix(tree): Switch from `--depth public` to `--edges public` (rust-lang/cargo#16081)
- docs(guide): Point out tools for reducing dependencies (rust-lang/cargo#16078)
- Allow to rustfix unused_variables lint. (rust-lang/cargo#16082)
- Fix test that assumes `CARGO_CFG_TARGET_FAMILY` is a single value (rust-lang/cargo#16079)
- Fix regression that swallowed json diagnostic explanations (rust-lang/cargo#16075)
- docs(ref): fix link to clippy incompatible_msrv lint (rust-lang/cargo#16077)
- Convert a few more diagnostics to reports (rust-lang/cargo#16066)
- fix(support): Add track_caller to know the actual failure (rust-lang/cargo#16069)
- fix(add): Report a missing source error for workspace dependencies  (rust-lang/cargo#16063)
- fix(script): Default bin.name to package.name  (rust-lang/cargo#16064)
- refactor(gctx): ConfigValue getter cleanup (rust-lang/cargo#16067)
- Fix unsafe_op_in_unsafe_fn for Windows (rust-lang/cargo#16058)
- Consider public dependencies when choosing a version in cargo add (rust-lang/cargo#1… (rust-lang/cargo#15966)
- docs: clarify panic-immediate-abort can be used in config (rust-lang/cargo#16054)
- fix(timings): compute codegen start time to draw dep lines (rust-lang/cargo#16055)
- chore: Added tracing span for build script execution (rust-lang/cargo#16053)
- test: null-terminated path for reserved windows name detection (rust-lang/cargo#16052)
- feat (publish): deprecate `--token` option (rust-lang/cargo#16046)

r? ghost
bors added a commit to rust-lang/rust that referenced this pull request Oct 11, 2025
@bors
Auto merge of #147568 - weihanglo:update-cargo, r=weihanglo
357494a 
Update cargo submodule

22 commits in 801d9b4981dd07e3aecdca1ab86834c13615737e..81c3f77a467359c8be6bc747dc93ec66a6e4ce11
2025-10-04 13:30:15 +0000 to 2025-10-10 18:41:02 +0000
- docs(changelog): literal host-tuple support (rust-lang/cargo#16033)
- refactor: Define cargo script's target-dir using build-dir templating (rust-lang/cargo#16073)
- feat(build-dir): Reorganize build-dir layout (rust-lang/cargo#15947)
- refactor: unflatten `(String, Def)` to `ConfigValue` (rust-lang/cargo#16084)
- fix(tree): Switch from `--depth public` to `--edges public` (rust-lang/cargo#16081)
- docs(guide): Point out tools for reducing dependencies (rust-lang/cargo#16078)
- Allow to rustfix unused_variables lint. (rust-lang/cargo#16082)
- Fix test that assumes `CARGO_CFG_TARGET_FAMILY` is a single value (rust-lang/cargo#16079)
- Fix regression that swallowed json diagnostic explanations (rust-lang/cargo#16075)
- docs(ref): fix link to clippy incompatible_msrv lint (rust-lang/cargo#16077)
- Convert a few more diagnostics to reports (rust-lang/cargo#16066)
- fix(support): Add track_caller to know the actual failure (rust-lang/cargo#16069)
- fix(add): Report a missing source error for workspace dependencies  (rust-lang/cargo#16063)
- fix(script): Default bin.name to package.name  (rust-lang/cargo#16064)
- refactor(gctx): ConfigValue getter cleanup (rust-lang/cargo#16067)
- Fix unsafe_op_in_unsafe_fn for Windows (rust-lang/cargo#16058)
- Consider public dependencies when choosing a version in cargo add (rust-lang/cargo#1… (rust-lang/cargo#15966)
- docs: clarify panic-immediate-abort can be used in config (rust-lang/cargo#16054)
- fix(timings): compute codegen start time to draw dep lines (rust-lang/cargo#16055)
- chore: Added tracing span for build script execution (rust-lang/cargo#16053)
- test: null-terminated path for reserved windows name detection (rust-lang/cargo#16052)
- feat (publish): deprecate `--token` option (rust-lang/cargo#16046)

r? ghost
bors added a commit to rust-lang/rust that referenced this pull request Oct 11, 2025
@bors
Auto merge of #147568 - weihanglo:update-cargo, r=weihanglo
360a3a4 
Update cargo submodule

22 commits in 801d9b4981dd07e3aecdca1ab86834c13615737e..81c3f77a467359c8be6bc747dc93ec66a6e4ce11
2025-10-04 13:30:15 +0000 to 2025-10-10 18:41:02 +0000
- docs(changelog): literal host-tuple support (rust-lang/cargo#16033)
- refactor: Define cargo script's target-dir using build-dir templating (rust-lang/cargo#16073)
- feat(build-dir): Reorganize build-dir layout (rust-lang/cargo#15947)
- refactor: unflatten `(String, Def)` to `ConfigValue` (rust-lang/cargo#16084)
- fix(tree): Switch from `--depth public` to `--edges public` (rust-lang/cargo#16081)
- docs(guide): Point out tools for reducing dependencies (rust-lang/cargo#16078)
- Allow to rustfix unused_variables lint. (rust-lang/cargo#16082)
- Fix test that assumes `CARGO_CFG_TARGET_FAMILY` is a single value (rust-lang/cargo#16079)
- Fix regression that swallowed json diagnostic explanations (rust-lang/cargo#16075)
- docs(ref): fix link to clippy incompatible_msrv lint (rust-lang/cargo#16077)
- Convert a few more diagnostics to reports (rust-lang/cargo#16066)
- fix(support): Add track_caller to know the actual failure (rust-lang/cargo#16069)
- fix(add): Report a missing source error for workspace dependencies  (rust-lang/cargo#16063)
- fix(script): Default bin.name to package.name  (rust-lang/cargo#16064)
- refactor(gctx): ConfigValue getter cleanup (rust-lang/cargo#16067)
- Fix unsafe_op_in_unsafe_fn for Windows (rust-lang/cargo#16058)
- Consider public dependencies when choosing a version in cargo add (rust-lang/cargo#1… (rust-lang/cargo#15966)
- docs: clarify panic-immediate-abort can be used in config (rust-lang/cargo#16054)
- fix(timings): compute codegen start time to draw dep lines (rust-lang/cargo#16055)
- chore: Added tracing span for build script execution (rust-lang/cargo#16053)
- test: null-terminated path for reserved windows name detection (rust-lang/cargo#16052)
- feat (publish): deprecate `--token` option (rust-lang/cargo#16046)

r? ghost
@rustbot rustbot added this to the 1.92.0 milestone Oct 11, 2025
rust-cloud-vms bot pushed a commit to makai410/rustc_public that referenced this pull request Oct 12, 2025
@bors
Auto merge of #147568 - weihanglo:update-cargo, r=weihanglo
98fc971 
Update cargo submodule

22 commits in 801d9b4981dd07e3aecdca1ab86834c13615737e..81c3f77a467359c8be6bc747dc93ec66a6e4ce11
2025-10-04 13:30:15 +0000 to 2025-10-10 18:41:02 +0000
- docs(changelog): literal host-tuple support (rust-lang/cargo#16033)
- refactor: Define cargo script's target-dir using build-dir templating (rust-lang/cargo#16073)
- feat(build-dir): Reorganize build-dir layout (rust-lang/cargo#15947)
- refactor: unflatten `(String, Def)` to `ConfigValue` (rust-lang/cargo#16084)
- fix(tree): Switch from `--depth public` to `--edges public` (rust-lang/cargo#16081)
- docs(guide): Point out tools for reducing dependencies (rust-lang/cargo#16078)
- Allow to rustfix unused_variables lint. (rust-lang/cargo#16082)
- Fix test that assumes `CARGO_CFG_TARGET_FAMILY` is a single value (rust-lang/cargo#16079)
- Fix regression that swallowed json diagnostic explanations (rust-lang/cargo#16075)
- docs(ref): fix link to clippy incompatible_msrv lint (rust-lang/cargo#16077)
- Convert a few more diagnostics to reports (rust-lang/cargo#16066)
- fix(support): Add track_caller to know the actual failure (rust-lang/cargo#16069)
- fix(add): Report a missing source error for workspace dependencies  (rust-lang/cargo#16063)
- fix(script): Default bin.name to package.name  (rust-lang/cargo#16064)
- refactor(gctx): ConfigValue getter cleanup (rust-lang/cargo#16067)
- Fix unsafe_op_in_unsafe_fn for Windows (rust-lang/cargo#16058)
- Consider public dependencies when choosing a version in cargo add (rust-lang/cargo#1… (rust-lang/cargo#15966)
- docs: clarify panic-immediate-abort can be used in config (rust-lang/cargo#16054)
- fix(timings): compute codegen start time to draw dep lines (rust-lang/cargo#16055)
- chore: Added tracing span for build script execution (rust-lang/cargo#16053)
- test: null-terminated path for reserved windows name detection (rust-lang/cargo#16052)
- feat (publish): deprecate `--token` option (rust-lang/cargo#16046)

r? ghost
flip1995 pushed a commit to flip1995/rust-clippy that referenced this pull request Oct 18, 2025
@bors
Auto merge of #147568 - weihanglo:update-cargo, r=weihanglo
791d334 
Update cargo submodule

22 commits in 801d9b4981dd07e3aecdca1ab86834c13615737e..81c3f77a467359c8be6bc747dc93ec66a6e4ce11
2025-10-04 13:30:15 +0000 to 2025-10-10 18:41:02 +0000
- docs(changelog): literal host-tuple support (rust-lang/cargo#16033)
- refactor: Define cargo script's target-dir using build-dir templating (rust-lang/cargo#16073)
- feat(build-dir): Reorganize build-dir layout (rust-lang/cargo#15947)
- refactor: unflatten `(String, Def)` to `ConfigValue` (rust-lang/cargo#16084)
- fix(tree): Switch from `--depth public` to `--edges public` (rust-lang/cargo#16081)
- docs(guide): Point out tools for reducing dependencies (rust-lang/cargo#16078)
- Allow to rustfix unused_variables lint. (rust-lang/cargo#16082)
- Fix test that assumes `CARGO_CFG_TARGET_FAMILY` is a single value (rust-lang/cargo#16079)
- Fix regression that swallowed json diagnostic explanations (rust-lang/cargo#16075)
- docs(ref): fix link to clippy incompatible_msrv lint (rust-lang/cargo#16077)
- Convert a few more diagnostics to reports (rust-lang/cargo#16066)
- fix(support): Add track_caller to know the actual failure (rust-lang/cargo#16069)
- fix(add): Report a missing source error for workspace dependencies  (rust-lang/cargo#16063)
- fix(script): Default bin.name to package.name  (rust-lang/cargo#16064)
- refactor(gctx): ConfigValue getter cleanup (rust-lang/cargo#16067)
- Fix unsafe_op_in_unsafe_fn for Windows (rust-lang/cargo#16058)
- Consider public dependencies when choosing a version in cargo add (rust-lang/cargo#1… (rust-lang/cargo#15966)
- docs: clarify panic-immediate-abort can be used in config (rust-lang/cargo#16054)
- fix(timings): compute codegen start time to draw dep lines (rust-lang/cargo#16055)
- chore: Added tracing span for build script execution (rust-lang/cargo#16053)
- test: null-terminated path for reserved windows name detection (rust-lang/cargo#16052)
- feat (publish): deprecate `--token` option (rust-lang/cargo#16046)

r? ghost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@epage epage

Labels

A-cli Area: Command-line interface, option parsing, etc. A-cli-help Area: built-in command-line help A-completions Area: shell completions A-documenting-cargo-itself Area: Cargo's documentation Command-publish

Projects

None yet

Milestone

1.92.0

Development

Successfully merging this pull request may close these issues.

Deprecate cargo publish --token?

4 participants

@omskscream @rustbot @weihanglo @epage