release: Use trusted publishing for RubyGems releases#282
Conversation
jbeckwith-oai
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f56390fa9e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # `RUBYGEMS_HOST` is only required for private gem repositories, not https://rubygems.org | ||
| RUBYGEMS_HOST: ${{ secrets.OPENAI_RUBYGEMS_HOST || secrets.RUBYGEMS_HOST }} | ||
| GEM_HOST_API_KEY: ${{ secrets.OPENAI_GEM_HOST_API_KEY || secrets.GEM_HOST_API_KEY }} | ||
| uses: rubygems/release-gem@6317d8d1f7e28c24d28f6eff169ea854948bd9f7 # v1.2.0 |
There was a problem hiding this comment.
With .github/workflows/publish-gem.yml deleted, this guarded publish step is now the only way to push the gem. If RubyGems publishing fails after trigger-release-please has already created the GitHub release/tag, rerunning or manually dispatching this workflow will run release-please again and releases_created will be false, so the gem publish step is skipped and maintainers no longer have a workflow path to retry the missing RubyGems release. Consider adding a trusted-publishing manual retry path or a workflow_dispatch override for this step.
Useful? React with 👍 / 👎.
jbeckwith-oai
force-pushed
the
codex/trusted-rubygems-publishing
branch
from
f56390f to
0fd117b
Compare
apcha-oai
left a comment
apcha-oai
left a comment
There was a problem hiding this comment.
LGTM pointed to next so we can try this for next minor release
* Use trusted publishing for RubyGems releases (#282) * release: 0.66.1 --------- Co-authored-by: Justin Beckwith <jbeckwith@openai.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
2 participants
Summary
rubygems/release-gemaction using GitHub OIDC trusted publishingpkg/so the RubyGems action can wait for the published artifactValidation
ruby -e 'require "yaml"; YAML.load_file(".github/workflows/create-releases.yml"); puts "workflow yaml ok"'ruby -c Rakefilebundle _2.4.1_ exec rake build:gemNotes
rubygems/release-gemis pinned to the SHA for latest releasev1.2.0(6317d8d1f7e28c24d28f6eff169ea854948bd9f7). The direct branch push bypassed the repository workflow-file rule after the repository settings were updated.