Check for correct crates.io ownership for every crate in the repository

[epilys]

According to the publishing documentation¹, CODEOWNERS and the gatekeper team must be owners of a crate published on crates.io in addition to the original crate authors. We can add a check that runs for every crate located in a repository that verifies the ownership status is correct with the crates.io API².

Example:

Find all crates:

for manifest_file in $(find . -type f -name Cargo.toml | grep --invert-match "/target/" | grep --invert-match "/fuzz/"); do
  NAME=$(grep --max-count=1 name "${manifest_file}" | sed -e 's/name = "\(.\+\)"/\1/')
  if ! [ -z "${NAME}" ]; then
    echo ${NAME}
  fi
done

Check owner for a crate:

CRATE_NAME="$1"

echo "INFO: querying https://crates.io/api/v1/crates/${CRATE_NAME}/owners"

OWNERS_REPLY=$(curl --silent "https://crates.io/api/v1/crates/${CRATE_NAME}/owners")

echo "INFO: API reply was ${OWNERS_REPLY}"

case "${OWNERS_REPLY}" in
  *'{"errors":[{"detail":"Not Found"}]}'* ) echo "INFO: Crate ${CRATE_NAME} was not found on crates.io and is assumed unpublished." ; exit 0 ;; # Crate is not published.
esac

ERROR=""

case "${OWNERS_REPLY}" in
  *github:rust-vmm:gatekeepers* ) echo "OK: rust-vmm:gatekeepers is an owner." ;;
  * ) echo "ERROR: rust-vmm:gatekeepers team must be in ${CRATE_NAME}'s owners." ; ERROR="yes";;
esac

for owner in $(sed -e '/^#.\+$/d' -e 's/^[*]\s*//' -e 's/[@]//g' < CODEOWNERS); do
  case "${OWNERS_REPLY}" in
    *${owner}* )
      echo "OK: ${owner} is an owner."
      ;;
    * )
      echo "ERROR: ${owner} is not an owner." ; ERROR="yes"
  esac
done

if ! [ -z "${ERROR}" ]; then
  echo "Missing crate owners for ${CRATE_NAME}, please add them."
  exit 1
fi

Running it for virtio-bindings outputs:

INFO: querying https://crates.io/api/v1/crates/virtio-bindings/owners
INFO: API reply was {"users":[{"avatar":"https://avatars.githubusercontent.com/u/1043863?v=4","id":35756,"kind":"user","login":"sameo","name":"Samuel Ortiz","url":"https://github.com/sameo"},{"avatar":"https://avatars.githubusercontent.com/u/2815944?v=4","id":37110,"kind":"user","login":"andreeaflorescu","name":"Andreea Florescu","url":"https://github.com/andreeaflorescu"},{"avatar":"https://avatars.githubusercontent.com/u/8278356?v=4","id":53759,"kind":"user","login":"epilys","name":"Manos Pitsidianakis","url":"https://github.com/epilys"},{"avatar":"https://avatars.githubusercontent.com/u/115481277?v=4","id":186043,"kind":"user","login":"roypat","name":"Patrick Roy","url":"https://github.com/roypat"},{"avatar":"https://avatars.githubusercontent.com/u/46028664?v=4","id":1481,"kind":"team","login":"github:rust-vmm:gatekeepers","name":"gatekeepers","url":"https://github.com/rust-vmm"}]}
OK: rust-vmm:gatekeepers is an owner.
ERROR: alexandruag is not an owner.
OK: andreeaflorescu is an owner.
ERROR: jiangliu is not an owner.
ERROR: slp is not an owner.
ERROR: stsquad is not an owner.
OK: epilys is an owner.
Missing crate owners for virtio-bindings, please add them.

Footnotes

1. https://github.com/rust-vmm/community/blob/main/MAINTAINERS.md#becoming-a-repository-maintainer ↩

2. https://doc.rust-lang.org/cargo/reference/registry-web-api.html#owners-list ↩

[andreeaflorescu]

This is a great idea!