From e9513f5e2e72bc78b43420d061044b6a034ca7e8 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 25 Nov 2025 13:05:10 +0100
Subject: [PATCH 1/6] models/crate: Add `trustpubOnly` attribute

---
 app/models/crate.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/models/crate.js b/app/models/crate.js
index f7112d80ea5..e7d7c72273a 100644
--- a/app/models/crate.js
+++ b/app/models/crate.js
@@ -29,6 +29,12 @@ export default class Crate extends Model {
   @attr documentation;
   @attr repository;
 
+  /**
+   * Whether this crate can only be published via Trusted Publishing.
+   * @type {boolean}
+   */
+  @attr trustpub_only;
+
   /**
    * This isn't an attribute in the crate response.
    * It's actually the `meta` attribute that belongs to `versions`

From aafe0bc0fa9b04e1d16d14189275cddaf0c6aeb2 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 25 Nov 2025 13:04:03 +0100
Subject: [PATCH 2/6] models/crate: Add `setTrustpubOnlyTask`

This adds a `setTrustpubOnlyTask` to enable/disable the trusted publishing restriction via the PATCH `/api/v1/crates/{name}` endpoint.
---
 app/models/crate.js        |  8 ++++++-
 tests/models/crate-test.js | 46 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/app/models/crate.js b/app/models/crate.js
index e7d7c72273a..e764999d15b 100644
--- a/app/models/crate.js
+++ b/app/models/crate.js
@@ -4,7 +4,7 @@ import { waitForPromise } from '@ember/test-waiters';
 import { cached } from '@glimmer/tracking';
 
 import { apiAction } from '@mainmatter/ember-api-actions';
-import { task } from 'ember-concurrency';
+import { keepLatestTask, task } from 'ember-concurrency';
 
 export default class Crate extends Model {
   @attr name;
@@ -129,4 +129,10 @@ export default class Crate extends Model {
     let fut = reload === true ? versionsRef.reload() : versionsRef.load();
     return (await fut) ?? [];
   });
+
+  setTrustpubOnlyTask = keepLatestTask(async trustpubOnly => {
+    let data = { crate: { trustpub_only: trustpubOnly } };
+    let payload = await waitForPromise(apiAction(this, { method: 'PATCH', data }));
+    this.store.pushPayload(payload);
+  });
 }
diff --git a/tests/models/crate-test.js b/tests/models/crate-test.js
index bb2e0a8dfde..211edf5e490 100644
--- a/tests/models/crate-test.js
+++ b/tests/models/crate-test.js
@@ -13,6 +13,52 @@ module('Model | Crate', function (hooks) {
     this.store = this.owner.lookup('service:store');
   });
 
+  module('setTrustpubOnlyTask', function () {
+    test('enables trustpub_only', async function (assert) {
+      let user = this.db.user.create();
+      this.authenticateAs(user);
+
+      let crate = this.db.crate.create({ trustpubOnly: false });
+      this.db.version.create({ crate });
+
+      let crateRecord = await this.store.findRecord('crate', crate.name);
+      assert.false(crateRecord.trustpub_only);
+      assert.false(this.db.crate.findFirst({ where: { id: { equals: crate.id } } }).trustpubOnly);
+
+      await crateRecord.setTrustpubOnlyTask.perform(true);
+      assert.true(crateRecord.trustpub_only);
+      assert.true(this.db.crate.findFirst({ where: { id: { equals: crate.id } } }).trustpubOnly);
+    });
+
+    test('disables trustpub_only', async function (assert) {
+      let user = this.db.user.create();
+      this.authenticateAs(user);
+
+      let crate = this.db.crate.create({ trustpubOnly: true });
+      this.db.version.create({ crate });
+
+      let crateRecord = await this.store.findRecord('crate', crate.name);
+      assert.true(crateRecord.trustpub_only);
+      assert.true(this.db.crate.findFirst({ where: { id: { equals: crate.id } } }).trustpubOnly);
+
+      await crateRecord.setTrustpubOnlyTask.perform(false);
+      assert.false(crateRecord.trustpub_only);
+      assert.false(this.db.crate.findFirst({ where: { id: { equals: crate.id } } }).trustpubOnly);
+    });
+
+    test('requires authentication', async function (assert) {
+      let crate = this.db.crate.create();
+      this.db.version.create({ crate });
+
+      let crateRecord = await this.store.findRecord('crate', crate.name);
+
+      await assert.rejects(crateRecord.setTrustpubOnlyTask.perform(true), function (error) {
+        assert.deepEqual(error.errors, [{ detail: 'must be logged in to perform that action' }]);
+        return true;
+      });
+    });
+  });
+
   module('inviteOwner()', function () {
     test('happy path', async function (assert) {
       let user = this.db.user.create();

From 432c2e79cc25ce52d92b51d581d8b3e892d59e3e Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 25 Nov 2025 14:41:44 +0100
Subject: [PATCH 3/6] crate/settings: Add `trustpub_only` checkbox

---
 app/components/trustpub-only-checkbox.css |  25 +++
 app/components/trustpub-only-checkbox.gjs |  41 +++++
 app/templates/crate/settings/index.css    |  11 +-
 app/templates/crate/settings/index.gjs    | 211 +++++++++++-----------
 tests/routes/crate/settings-test.js       |  63 ++++++-
 5 files changed, 246 insertions(+), 105 deletions(-)
 create mode 100644 app/components/trustpub-only-checkbox.css
 create mode 100644 app/components/trustpub-only-checkbox.gjs

diff --git a/app/components/trustpub-only-checkbox.css b/app/components/trustpub-only-checkbox.css
new file mode 100644
index 00000000000..f6fc65159c8
--- /dev/null
+++ b/app/components/trustpub-only-checkbox.css
@@ -0,0 +1,25 @@
+.trustpub-only-checkbox {
+  display: grid;
+  grid-template:
+    'checkbox label' auto
+    'checkbox note' auto / 16px 1fr;
+  row-gap: var(--space-3xs);
+  column-gap: var(--space-xs);
+  padding: var(--space-s) var(--space-m);
+  cursor: pointer;
+}
+
+.checkbox {
+  grid-area: checkbox;
+}
+
+.label {
+  grid-area: label;
+  font-weight: bold;
+}
+
+.note {
+  grid-area: note;
+  font-size: 85%;
+  color: var(--main-color-light);
+}
diff --git a/app/components/trustpub-only-checkbox.gjs b/app/components/trustpub-only-checkbox.gjs
new file mode 100644
index 00000000000..57f1288b6bb
--- /dev/null
+++ b/app/components/trustpub-only-checkbox.gjs
@@ -0,0 +1,41 @@
+import { on } from '@ember/modifier';
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+
+import LoadingSpinner from 'crates-io/components/loading-spinner';
+
+export default class TrustpubOnlyCheckbox extends Component {
+  @service notifications;
+
+  @action async toggle(event) {
+    let { checked } = event.target;
+    try {
+      await this.args.crate.setTrustpubOnlyTask.perform(checked);
+    } catch (error) {
+      let detail = error.errors?.[0]?.detail;
+      if (detail && !detail.startsWith('{')) {
+        this.notifications.error(detail);
+      } else {
+        this.notifications.error('Failed to update trusted publishing setting');
+      }
+    }
+  }
+
+  <template>
+    <label class='trustpub-only-checkbox' data-test-trustpub-only-checkbox ...attributes>
+      <div class='checkbox'>
+        {{#if @crate.setTrustpubOnlyTask.isRunning}}
+          <LoadingSpinner data-test-spinner />
+        {{else}}
+          <input type='checkbox' checked={{@crate.trustpub_only}} data-test-checkbox {{on 'change' this.toggle}} />
+        {{/if}}
+      </div>
+      <div class='label'>Require trusted publishing for all new versions</div>
+      <div class='note'>
+        When enabled, new versions can only be published through configured trusted publishers. Publishing with API
+        tokens will be rejected.
+      </div>
+    </label>
+  </template>
+}
diff --git a/app/templates/crate/settings/index.css b/app/templates/crate/settings/index.css
index 817498307b0..f96db2e2d8c 100644
--- a/app/templates/crate/settings/index.css
+++ b/app/templates/crate/settings/index.css
@@ -54,6 +54,11 @@
     background-color: light-dark(white, #141413);
     border-radius: var(--space-3xs);
     box-shadow: 0 1px 3px light-dark(hsla(51, 90%, 42%, .35), #232321);
+}
+
+.trustpub table {
+    width: 100%;
+    border-spacing: 0;
 
     :global(tbody) > :global(tr) > :global(td) {
         border-top: 1px solid light-dark(hsla(51, 90%, 42%, .25), #232321);
@@ -82,7 +87,7 @@
             display: none;
         }
 
-        tbody > tr > td:first-child {
+        tbody > tr:not(.no-trustpub-config) > td:first-child {
             padding-bottom: 0;
         }
 
@@ -109,6 +114,10 @@
     }
 }
 
+.trustpub-only-checkbox {
+    border-top: 1px solid light-dark(hsla(51, 90%, 42%, 0.25), #232321);
+}
+
 .email-column {
     width: 25%;
     color: var(--main-color-light);
diff --git a/app/templates/crate/settings/index.gjs b/app/templates/crate/settings/index.gjs
index 0095058b929..0338118e319 100644
--- a/app/templates/crate/settings/index.gjs
+++ b/app/templates/crate/settings/index.gjs
@@ -10,6 +10,7 @@ import or from 'ember-truth-helpers/helpers/or';
 
 import CrateHeader from 'crates-io/components/crate-header';
 import Tooltip from 'crates-io/components/tooltip';
+import TrustpubOnlyCheckbox from 'crates-io/components/trustpub-only-checkbox';
 import UserAvatar from 'crates-io/components/user-avatar';
 
 <template>
@@ -116,113 +117,117 @@ import UserAvatar from 'crates-io/components/user-avatar';
     </div>
   </div>
 
-  <table class='trustpub' data-test-trusted-publishing>
-    <thead>
-      <tr>
-        <th>Publisher</th>
-        <th>Details</th>
-        <th><span class='sr-only'>Actions</span></th>
-      </tr>
-    </thead>
-    <tbody>
-      {{#each @controller.githubConfigs as |config|}}
-        <tr data-test-github-config={{config.id}}>
-          <td>GitHub</td>
-          <td class='details'>
-            <strong>Repository:</strong>
-            <a
-              href='https://github.com/{{config.repository_owner}}/{{config.repository_name}}'
-              target='_blank'
-              rel='noopener noreferrer'
-            >{{config.repository_owner}}/{{config.repository_name}}</a>
-            <span class='owner-id'>
-              · Owner ID:
-              {{config.repository_owner_id}}
-              <Tooltip>
-                This is the owner ID for
-                <strong>{{config.repository_owner}}</strong>
-                from when this configuration was created. If
-                <strong>{{config.repository_owner}}</strong>
-                was recreated on GitHub, this configuration will need to be recreated as well.
-              </Tooltip>
-            </span><br />
-            <strong>Workflow:</strong>
-            <a
-              href='https://github.com/{{config.repository_owner}}/{{config.repository_name}}/blob/HEAD/.github/workflows/{{config.workflow_filename}}'
-              target='_blank'
-              rel='noopener noreferrer'
-            >{{config.workflow_filename}}</a><br />
-            {{#if config.environment}}
-              <strong>Environment:</strong>
-              {{config.environment}}
-            {{/if}}
-          </td>
-          <td class='actions'>
-            <button
-              type='button'
-              class='button button--small'
-              data-test-remove-config-button
-              {{on 'click' (perform @controller.removeConfigTask config)}}
-            >Remove</button>
-          </td>
+  <div class='trustpub'>
+    <table data-test-trusted-publishing>
+      <thead>
+        <tr>
+          <th>Publisher</th>
+          <th>Details</th>
+          <th><span class='sr-only'>Actions</span></th>
         </tr>
-      {{/each}}
-      {{#each @controller.gitlabConfigs as |config|}}
-        <tr data-test-gitlab-config={{config.id}}>
-          <td>GitLab</td>
-          <td class='details'>
-            <strong>Repository:</strong>
-            <a
-              href='https://gitlab.com/{{config.namespace}}/{{config.project}}'
-              target='_blank'
-              rel='noopener noreferrer'
-            >{{config.namespace}}/{{config.project}}</a>
-            <span class='owner-id'>
-              · Namespace ID:
-              {{#if config.namespace_id}}
-                {{config.namespace_id}}
+      </thead>
+      <tbody>
+        {{#each @controller.githubConfigs as |config|}}
+          <tr data-test-github-config={{config.id}}>
+            <td>GitHub</td>
+            <td class='details'>
+              <strong>Repository:</strong>
+              <a
+                href='https://github.com/{{config.repository_owner}}/{{config.repository_name}}'
+                target='_blank'
+                rel='noopener noreferrer'
+              >{{config.repository_owner}}/{{config.repository_name}}</a>
+              <span class='owner-id'>
+                · Owner ID:
+                {{config.repository_owner_id}}
                 <Tooltip>
-                  This is the namespace ID for
-                  <strong>{{config.namespace}}</strong>
-                  from the first publish using this configuration. If
-                  <strong>{{config.namespace}}</strong>
-                  was recreated on GitLab, this configuration will need to be recreated as well.
-                </Tooltip>
-              {{else}}
-                (not yet set)
-                <Tooltip>
-                  The namespace ID will be captured from the first publish using this configuration.
+                  This is the owner ID for
+                  <strong>{{config.repository_owner}}</strong>
+                  from when this configuration was created. If
+                  <strong>{{config.repository_owner}}</strong>
+                  was recreated on GitHub, this configuration will need to be recreated as well.
                 </Tooltip>
+              </span><br />
+              <strong>Workflow:</strong>
+              <a
+                href='https://github.com/{{config.repository_owner}}/{{config.repository_name}}/blob/HEAD/.github/workflows/{{config.workflow_filename}}'
+                target='_blank'
+                rel='noopener noreferrer'
+              >{{config.workflow_filename}}</a><br />
+              {{#if config.environment}}
+                <strong>Environment:</strong>
+                {{config.environment}}
               {{/if}}
-            </span><br />
-            <strong>Workflow:</strong>
-            <a
-              href='https://gitlab.com/{{config.namespace}}/{{config.project}}/-/blob/HEAD/{{config.workflow_filepath}}'
-              target='_blank'
-              rel='noopener noreferrer'
-            >{{config.workflow_filepath}}</a><br />
-            {{#if config.environment}}
-              <strong>Environment:</strong>
-              {{config.environment}}
-            {{/if}}
-          </td>
-          <td class='actions'>
-            <button
-              type='button'
-              class='button button--small'
-              data-test-remove-config-button
-              {{on 'click' (perform @controller.removeConfigTask config)}}
-            >Remove</button>
-          </td>
-        </tr>
-      {{/each}}
-      {{#unless (or @controller.githubConfigs.length @controller.gitlabConfigs.length)}}
-        <tr data-test-no-config>
-          <td colspan='3'>No trusted publishers configured for this crate.</td>
-        </tr>
-      {{/unless}}
-    </tbody>
-  </table>
+            </td>
+            <td class='actions'>
+              <button
+                type='button'
+                class='button button--small'
+                data-test-remove-config-button
+                {{on 'click' (perform @controller.removeConfigTask config)}}
+              >Remove</button>
+            </td>
+          </tr>
+        {{/each}}
+        {{#each @controller.gitlabConfigs as |config|}}
+          <tr data-test-gitlab-config={{config.id}}>
+            <td>GitLab</td>
+            <td class='details'>
+              <strong>Repository:</strong>
+              <a
+                href='https://gitlab.com/{{config.namespace}}/{{config.project}}'
+                target='_blank'
+                rel='noopener noreferrer'
+              >{{config.namespace}}/{{config.project}}</a>
+              <span class='owner-id'>
+                · Namespace ID:
+                {{#if config.namespace_id}}
+                  {{config.namespace_id}}
+                  <Tooltip>
+                    This is the namespace ID for
+                    <strong>{{config.namespace}}</strong>
+                    from the first publish using this configuration. If
+                    <strong>{{config.namespace}}</strong>
+                    was recreated on GitLab, this configuration will need to be recreated as well.
+                  </Tooltip>
+                {{else}}
+                  (not yet set)
+                  <Tooltip>
+                    The namespace ID will be captured from the first publish using this configuration.
+                  </Tooltip>
+                {{/if}}
+              </span><br />
+              <strong>Workflow:</strong>
+              <a
+                href='https://gitlab.com/{{config.namespace}}/{{config.project}}/-/blob/HEAD/{{config.workflow_filepath}}'
+                target='_blank'
+                rel='noopener noreferrer'
+              >{{config.workflow_filepath}}</a><br />
+              {{#if config.environment}}
+                <strong>Environment:</strong>
+                {{config.environment}}
+              {{/if}}
+            </td>
+            <td class='actions'>
+              <button
+                type='button'
+                class='button button--small'
+                data-test-remove-config-button
+                {{on 'click' (perform @controller.removeConfigTask config)}}
+              >Remove</button>
+            </td>
+          </tr>
+        {{/each}}
+        {{#unless (or @controller.githubConfigs.length @controller.gitlabConfigs.length)}}
+          <tr class='no-trustpub-config' data-test-no-config>
+            <td colspan='3'>No trusted publishers configured for this crate.</td>
+          </tr>
+        {{/unless}}
+      </tbody>
+    </table>
+
+    <TrustpubOnlyCheckbox @crate={{@controller.crate}} class='trustpub-only-checkbox' />
+  </div>
 
   <h2 class='header'>Danger Zone</h2>
 
diff --git a/tests/routes/crate/settings-test.js b/tests/routes/crate/settings-test.js
index 858c71ebdc0..4c66587d626 100644
--- a/tests/routes/crate/settings-test.js
+++ b/tests/routes/crate/settings-test.js
@@ -1,6 +1,8 @@
-import { click, currentURL } from '@ember/test-helpers';
+import { click, currentURL, waitFor } from '@ember/test-helpers';
 import { module, test } from 'qunit';
 
+import { defer } from 'rsvp';
+
 import percySnapshot from '@percy/ember';
 import { http, HttpResponse } from 'msw';
 
@@ -274,4 +276,63 @@ module('Route | crate.settings', hooks => {
       });
     });
   });
+
+  module('trustpub_only checkbox', function () {
+    test('enabling trustpub_only', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
+      assert.false(this.db.crate.findFirst({ where: { name: { equals: crate.name } } }).trustpubOnly);
+
+      await click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isChecked();
+      assert.true(this.db.crate.findFirst({ where: { name: { equals: crate.name } } }).trustpubOnly);
+    });
+
+    test('disabling trustpub_only', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isChecked();
+      assert.true(this.db.crate.findFirst({ where: { name: { equals: crate.name } } }).trustpubOnly);
+
+      await click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
+      assert.false(this.db.crate.findFirst({ where: { name: { equals: crate.name } } }).trustpubOnly);
+    });
+
+    test('loading and error state', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      let deferred = defer();
+      this.worker.use(http.patch('/api/v1/crates/:name', () => deferred.promise));
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-spinner]').doesNotExist();
+
+      let clickPromise = click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+      await waitFor('[data-test-trustpub-only-checkbox] [data-test-spinner]');
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-spinner]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').doesNotExist();
+
+      deferred.resolve(HttpResponse.json({ errors: [{ detail: 'Server error' }] }, { status: 500 }));
+      await clickPromise;
+
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-spinner]').doesNotExist();
+      assert.dom('[data-test-notification-message]').hasText('Server error');
+    });
+  });
 });

From b6075e9027b671f86ffb641ad56e0726a4ef7426 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 25 Nov 2025 14:57:53 +0100
Subject: [PATCH 4/6] crate/settings: Implement visibility logic for
 `trustpub_only` checkbox

The checkbox is now only visible when:
- There are GitHub or GitLab trustpub configs, OR
- The `trustpub_only` flag is currently enabled

When the user disables the checkbox with no configs present, the checkbox
stays visible for the duration of that page visit. On the next visit, it
will be hidden.
---
 app/controllers/crate/settings/index.js | 12 +++
 app/routes/crate/settings/index.js      |  4 +
 app/templates/crate/settings/index.gjs  |  4 +-
 tests/routes/crate/settings-test.js     | 98 +++++++++++++++++++++++++
 4 files changed, 117 insertions(+), 1 deletion(-)

diff --git a/app/controllers/crate/settings/index.js b/app/controllers/crate/settings/index.js
index 6d30528bdd4..1b44a10ab2e 100644
--- a/app/controllers/crate/settings/index.js
+++ b/app/controllers/crate/settings/index.js
@@ -13,6 +13,18 @@ export default class CrateSettingsController extends Controller {
   username = '';
   @tracked addOwnerVisible = false;
 
+  /**
+   * Tracks whether the trustpub_only checkbox was visible when the page loaded.
+   * This prevents the checkbox from disappearing immediately when unchecked
+   * if there are no configs - it will only disappear on the next page visit.
+   */
+  trustpubOnlyCheckboxWasVisible = false;
+
+  get showTrustpubOnlyCheckbox() {
+    let hasConfigs = this.githubConfigs?.length > 0 || this.gitlabConfigs?.length > 0;
+    return hasConfigs || this.crate?.trustpub_only || this.trustpubOnlyCheckboxWasVisible;
+  }
+
   @action showAddOwnerForm() {
     this.addOwnerVisible = true;
     this.username = '';
diff --git a/app/routes/crate/settings/index.js b/app/routes/crate/settings/index.js
index 5e2ca1bc792..8e26adc8a40 100644
--- a/app/routes/crate/settings/index.js
+++ b/app/routes/crate/settings/index.js
@@ -19,5 +19,9 @@ export default class SettingsIndexRoute extends Route {
     controller.set('crate', crate);
     controller.set('githubConfigs', githubConfigs);
     controller.set('gitlabConfigs', gitlabConfigs);
+
+    // Capture whether the trustpub_only checkbox should be visible on initial load
+    let hasConfigs = githubConfigs?.length > 0 || gitlabConfigs?.length > 0;
+    controller.set('trustpubOnlyCheckboxWasVisible', hasConfigs || crate.trustpub_only);
   }
 }
diff --git a/app/templates/crate/settings/index.gjs b/app/templates/crate/settings/index.gjs
index 0338118e319..b9c69f2b5a3 100644
--- a/app/templates/crate/settings/index.gjs
+++ b/app/templates/crate/settings/index.gjs
@@ -226,7 +226,9 @@ import UserAvatar from 'crates-io/components/user-avatar';
       </tbody>
     </table>
 
-    <TrustpubOnlyCheckbox @crate={{@controller.crate}} class='trustpub-only-checkbox' />
+    {{#if @controller.showTrustpubOnlyCheckbox}}
+      <TrustpubOnlyCheckbox @crate={{@controller.crate}} class='trustpub-only-checkbox' />
+    {{/if}}
   </div>
 
   <h2 class='header'>Danger Zone</h2>
diff --git a/tests/routes/crate/settings-test.js b/tests/routes/crate/settings-test.js
index 4c66587d626..d46757fe550 100644
--- a/tests/routes/crate/settings-test.js
+++ b/tests/routes/crate/settings-test.js
@@ -278,10 +278,94 @@ module('Route | crate.settings', hooks => {
   });
 
   module('trustpub_only checkbox', function () {
+    test('hidden when no configs and flag is false', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').doesNotExist();
+    });
+
+    test('visible when GitHub configs exist', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
+    });
+
+    test('visible when GitLab configs exist', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      this.db.trustpubGitlabConfig.create({
+        crate,
+        namespace: 'rust-lang',
+        project: 'crates.io',
+        workflow_filepath: '.gitlab-ci.yml',
+      });
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
+    });
+
+    test('visible when flag is true but no configs', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isChecked();
+    });
+
+    test('stays visible after disabling when no configs exist', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isChecked();
+
+      await click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+      // Checkbox stays visible after disabling (within same page visit)
+      assert.dom('[data-test-trustpub-only-checkbox]').exists();
+      assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
+
+      // After navigating away and back, checkbox should be hidden
+      await visit(`/crates/${crate.name}`);
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-checkbox]').doesNotExist();
+    });
+
     test('enabling trustpub_only', async function (assert) {
       const { crate, user } = prepare(this);
       this.authenticateAs(user);
 
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
       await visit(`/crates/${crate.name}/settings`);
 
       assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isNotChecked();
@@ -298,6 +382,13 @@ module('Route | crate.settings', hooks => {
       this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
       this.authenticateAs(user);
 
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
       await visit(`/crates/${crate.name}/settings`);
 
       assert.dom('[data-test-trustpub-only-checkbox] [data-test-checkbox]').isChecked();
@@ -313,6 +404,13 @@ module('Route | crate.settings', hooks => {
       const { crate, user } = prepare(this);
       this.authenticateAs(user);
 
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
       let deferred = defer();
       this.worker.use(http.patch('/api/v1/crates/:name', () => deferred.promise));
 

From cb560e86f01c606c99e4d83e215dc85ce03a9d39 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 25 Nov 2025 15:13:52 +0100
Subject: [PATCH 5/6] crate/settings: Add warning banner when `trustpub_only`
 blocks publishing

Shows a warning alert above the trusted publishing section when
`trustpub_only` is enabled but no trusted publisher configs exist.
The warning text: "Trusted publishing is required but no publishers
are configured. Publishing to this crate is currently blocked."
---
 app/controllers/crate/settings/index.js | 11 +++-
 app/templates/crate/settings/index.css  |  4 ++
 app/templates/crate/settings/index.gjs  |  7 +++
 tests/routes/crate/settings-test.js     | 80 +++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 2 deletions(-)

diff --git a/app/controllers/crate/settings/index.js b/app/controllers/crate/settings/index.js
index 1b44a10ab2e..5c4d10e17f9 100644
--- a/app/controllers/crate/settings/index.js
+++ b/app/controllers/crate/settings/index.js
@@ -20,9 +20,16 @@ export default class CrateSettingsController extends Controller {
    */
   trustpubOnlyCheckboxWasVisible = false;
 
+  get #hasConfigs() {
+    return this.githubConfigs?.length > 0 || this.gitlabConfigs?.length > 0;
+  }
+
   get showTrustpubOnlyCheckbox() {
-    let hasConfigs = this.githubConfigs?.length > 0 || this.gitlabConfigs?.length > 0;
-    return hasConfigs || this.crate?.trustpub_only || this.trustpubOnlyCheckboxWasVisible;
+    return this.#hasConfigs || this.crate?.trustpub_only || this.trustpubOnlyCheckboxWasVisible;
+  }
+
+  get showTrustpubOnlyWarning() {
+    return this.crate?.trustpub_only && !this.#hasConfigs;
   }
 
   @action showAddOwnerForm() {
diff --git a/app/templates/crate/settings/index.css b/app/templates/crate/settings/index.css
index f96db2e2d8c..779b83a9b37 100644
--- a/app/templates/crate/settings/index.css
+++ b/app/templates/crate/settings/index.css
@@ -114,6 +114,10 @@
     }
 }
 
+.trustpub-only-warning {
+    margin-bottom: var(--space-s);
+}
+
 .trustpub-only-checkbox {
     border-top: 1px solid light-dark(hsla(51, 90%, 42%, 0.25), #232321);
 }
diff --git a/app/templates/crate/settings/index.gjs b/app/templates/crate/settings/index.gjs
index b9c69f2b5a3..ef8c2e8166c 100644
--- a/app/templates/crate/settings/index.gjs
+++ b/app/templates/crate/settings/index.gjs
@@ -8,6 +8,7 @@ import pageTitle from 'ember-page-title/helpers/page-title';
 import not from 'ember-truth-helpers/helpers/not';
 import or from 'ember-truth-helpers/helpers/or';
 
+import Alert from 'crates-io/components/alert';
 import CrateHeader from 'crates-io/components/crate-header';
 import Tooltip from 'crates-io/components/tooltip';
 import TrustpubOnlyCheckbox from 'crates-io/components/trustpub-only-checkbox';
@@ -117,6 +118,12 @@ import UserAvatar from 'crates-io/components/user-avatar';
     </div>
   </div>
 
+  {{#if @controller.showTrustpubOnlyWarning}}
+    <Alert @variant='warning' class='trustpub-only-warning' data-test-trustpub-only-warning>
+      Trusted publishing is required but no publishers are configured. Publishing to this crate is currently blocked.
+    </Alert>
+  {{/if}}
+
   <div class='trustpub'>
     <table data-test-trusted-publishing>
       <thead>
diff --git a/tests/routes/crate/settings-test.js b/tests/routes/crate/settings-test.js
index d46757fe550..1f50dd70ea8 100644
--- a/tests/routes/crate/settings-test.js
+++ b/tests/routes/crate/settings-test.js
@@ -277,6 +277,86 @@ module('Route | crate.settings', hooks => {
     });
   });
 
+  module('trustpub_only warning banner', function () {
+    test('hidden when flag is false', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-warning]').doesNotExist();
+    });
+
+    test('hidden when flag is true and configs exist', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-warning]').doesNotExist();
+    });
+
+    test('shown when flag is true but no configs exist', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-warning]').exists();
+      assert
+        .dom('[data-test-trustpub-only-warning]')
+        .hasText(
+          'Trusted publishing is required but no publishers are configured. Publishing to this crate is currently blocked.',
+        );
+    });
+
+    test('disappears when checkbox is unchecked', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-warning]').exists();
+
+      await click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+      assert.dom('[data-test-trustpub-only-warning]').doesNotExist();
+    });
+
+    test('appears when checkbox is checked with no configs', async function (assert) {
+      const { crate, user } = prepare(this);
+      this.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+      this.authenticateAs(user);
+
+      this.db.trustpubGithubConfig.create({
+        crate,
+        repository_owner: 'rust-lang',
+        repository_name: 'crates.io',
+        workflow_filename: 'ci.yml',
+      });
+
+      await visit(`/crates/${crate.name}/settings`);
+
+      assert.dom('[data-test-trustpub-only-warning]').doesNotExist();
+
+      // Remove the config
+      await click('[data-test-github-config="1"] [data-test-remove-config-button]');
+
+      // Warning should now appear
+      assert.dom('[data-test-trustpub-only-warning]').exists();
+    });
+  });
+
   module('trustpub_only checkbox', function () {
     test('hidden when no configs and flag is false', async function (assert) {
       const { crate, user } = prepare(this);

From 001f165bd7b0680c4e295c6281281ba3cd54ce44 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Wed, 26 Nov 2025 11:38:22 +0100
Subject: [PATCH 6/6] e2e: Add Playwright tests for `trustpub_only` checkbox
 and warning banner

Port the QUnit tests to Playwright for the trustpub_only feature:
- Warning banner visibility tests (5 tests)
- Checkbox visibility and interaction tests (8 tests)
---
 e2e/routes/crate/settings.spec.ts | 225 +++++++++++++++++++++++++++++-
 1 file changed, 224 insertions(+), 1 deletion(-)

diff --git a/e2e/routes/crate/settings.spec.ts b/e2e/routes/crate/settings.spec.ts
index 45621852985..2726941aeaa 100644
--- a/e2e/routes/crate/settings.spec.ts
+++ b/e2e/routes/crate/settings.spec.ts
@@ -1,5 +1,5 @@
 import { expect, test } from '@/e2e/helper';
-import { click } from '@ember/test-helpers';
+import { defer } from '@/e2e/deferred';
 import { http, HttpResponse } from 'msw';
 
 test.describe('Route | crate.settings', { tag: '@routes' }, () => {
@@ -277,5 +277,228 @@ test.describe('Route | crate.settings', { tag: '@routes' }, () => {
         );
       });
     });
+
+    test.describe('trustpub_only warning banner', () => {
+      test('hidden when flag is false', async ({ msw, page }) => {
+        await prepare(msw);
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).not.toBeVisible();
+      });
+
+      test('hidden when flag is true and configs exist', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).not.toBeVisible();
+      });
+
+      test('shown when flag is true but no configs exist', async ({ msw, page, percy }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-warning]')).toHaveText(
+          'Trusted publishing is required but no publishers are configured. Publishing to this crate is currently blocked.',
+        );
+
+        await percy.snapshot();
+      });
+
+      test('disappears when checkbox is unchecked', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).toBeVisible();
+
+        await page.click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).not.toBeVisible();
+      });
+
+      test('appears when last config is removed', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).not.toBeVisible();
+
+        await page.click('[data-test-github-config="1"] [data-test-remove-config-button]');
+
+        await expect(page.locator('[data-test-trustpub-only-warning]')).toBeVisible();
+      });
+    });
+
+    test.describe('trustpub_only checkbox', () => {
+      test('hidden when no configs and flag is false', async ({ msw, page }) => {
+        await prepare(msw);
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).not.toBeVisible();
+      });
+
+      test('visible when GitHub configs exist', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeChecked();
+      });
+
+      test('visible when GitLab configs exist', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+
+        msw.db.trustpubGitlabConfig.create({
+          crate,
+          namespace: 'rust-lang',
+          project: 'crates.io',
+          workflow_filepath: '.gitlab-ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeChecked();
+      });
+
+      test('visible when flag is true but no configs', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeChecked();
+      });
+
+      test('stays visible after disabling when no configs exist', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeChecked();
+
+        await page.click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+        // Checkbox stays visible after disabling (within same page visit)
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeChecked();
+
+        // After navigating away and back, checkbox should be hidden
+        await page.goto('/crates/foo');
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox]')).not.toBeVisible();
+      });
+
+      test('enabling trustpub_only', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeChecked();
+        expect(msw.db.crate.findFirst({ where: { name: { equals: crate.name } } })?.trustpubOnly).toBe(false);
+
+        await page.click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeChecked();
+        expect(msw.db.crate.findFirst({ where: { name: { equals: crate.name } } })?.trustpubOnly).toBe(true);
+      });
+
+      test('disabling trustpub_only', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+        msw.db.crate.update({ where: { id: { equals: crate.id } }, data: { trustpubOnly: true } });
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeChecked();
+        expect(msw.db.crate.findFirst({ where: { name: { equals: crate.name } } })?.trustpubOnly).toBe(true);
+
+        await page.click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeChecked();
+        expect(msw.db.crate.findFirst({ where: { name: { equals: crate.name } } })?.trustpubOnly).toBe(false);
+      });
+
+      test('loading and error state', async ({ msw, page }) => {
+        const { crate } = await prepare(msw);
+
+        msw.db.trustpubGithubConfig.create({
+          crate,
+          repository_owner: 'rust-lang',
+          repository_name: 'crates.io',
+          workflow_filename: 'ci.yml',
+        });
+
+        let deferred = defer();
+        msw.worker.use(http.patch('/api/v1/crates/:name', () => deferred.promise));
+
+        await page.goto('/crates/foo/settings');
+
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-spinner]')).not.toBeVisible();
+
+        await page.click('[data-test-trustpub-only-checkbox] [data-test-checkbox]');
+
+        // Check loading state
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-spinner]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).not.toBeVisible();
+
+        // Resolve with error
+        deferred.resolve(HttpResponse.json({ errors: [{ detail: 'Server error' }] }, { status: 500 }));
+
+        // Check that spinner is gone and checkbox is back
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-checkbox]')).toBeVisible();
+        await expect(page.locator('[data-test-trustpub-only-checkbox] [data-test-spinner]')).not.toBeVisible();
+        await expect(page.locator('[data-test-notification-message]')).toHaveText('Server error');
+      });
+    });
   });
 });