@jcoglan AFAIK it does exactly mean that if your CI is compromised so is the package. The configuration bit looks something like this on crates.io. You add a GitHub Actions workflow that handles obtaining the OIDC token and publishing, then you specify its name here to tell crates.io that you're trusting GitHub Actions to publish on your behalf. A crate published this way gets that fancy "via GitHub" badge you can see on v3.3.0: https://crates.io/crates/healthchecks/versions
