Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔧🔒 Configure RubyGems Trusted Publishing #265

Merged
merged 1 commit into from
May 4, 2024
Merged

🔧🔒 Configure RubyGems Trusted Publishing #265

merged 1 commit into from
May 4, 2024

Conversation

nevans
Copy link
Collaborator

@nevans nevans commented Feb 4, 2024

@nevans nevans requested a review from hsbt February 4, 2024 20:53
@nevans nevans changed the title usted publishing 🔧🔒 Configure RubyGems Trusted publishing Feb 4, 2024
@nevans
Copy link
Collaborator Author

nevans commented Feb 4, 2024

@hsbt Have any other bundled gems configured trusted publishing yet? I've configured this to run when pushing a specific tag pattern, but perhaps it should be triggered by some other event? I want to be sure it doesn't conflict with any of your existing tools or processes.

@nevans nevans changed the title 🔧🔒 Configure RubyGems Trusted publishing 🔧🔒 Configure RubyGems Trusted Publishing Feb 4, 2024
@hsbt
Copy link
Member

hsbt commented Feb 6, 2024

@nevans Nice work. We didn't use release-gem action under ruby org yet. If you have extra permission for this, let me know it.

I'm +1 to use this automation to other bundled gems 👍

@nevans
Copy link
Collaborator Author

nevans commented Feb 7, 2024

@hsbt Great. I'll test it out on the next release.

@nevans nevans force-pushed the trusted-publishing branch 2 times, most recently from b115db7 to e7f32f6 Compare February 9, 2024 14:57
@nevans
Copy link
Collaborator Author

nevans commented Feb 9, 2024
edited
Loading

@hsbt I added made a couple of minor changes to the workflow:

  • added another job step to also draft a GitHub Release
  • added a RubyGems environment

Looking at other gems that have configured this (and came up in my code search), I saw three basic approaches to triggering:

  • on push to a version tag (what we have here)
  • on creation of a GitHub release
  • on workflow_dispatch (triggered manually or by some other process)

I personally prefer the tag-based approach. When combined with the gh release create --draft, it partially automates the creation of GitHub release. When combined with a GitHub environment, the environment can be configured to require deployment approval (which serves the same function as workflow_dispatch for me).

I made the following other changes, too:

  • configured the "Trusted Publisher" on RubyGems.org
  • configured the "RubyGems" environment on GitHub
  • added a tag protection rule on v*
  • added very basic branch protection on master (which can be dismissed by repository admins)

@nevans
🔧🔒 Configure RubyGem Trusted Publishing
521cd34 
This requires additional configuration on the RubyGems website:
* https://guides.rubygems.org/trusted-publishing/adding-a-publisher/
* https://rubygems.org/gems/net-imap/trusted_publishers

Note that the RubyGems configuration must match both of the following:
* the workflow filename: `release-gem.yml`
* the job's environment: `RubyGems`
@nevans nevans merged commit 110e3c0 into master May 4, 2024
26 checks passed
@nevans nevans deleted the trusted-publishing branch May 4, 2024 19:03
@nevans
Copy link
Collaborator Author

nevans commented May 8, 2024
edited
Loading

@hsbt @shugo @segiddins FYI: v0.4.11 was packaged by this. It all seemed to work correctly.

@hsbt
Copy link
Member

hsbt commented May 8, 2024

Great, thanks!

shugo added a commit to ruby/net-ftp that referenced this pull request Jun 5, 2024
@shugo
Configure RubyGems Trusted Publishing
4d33631 
Based on ruby/net-imap#265
@shugo shugo mentioned this pull request Jun 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hsbt hsbt Awaiting requested review from hsbt

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nevans @hsbt