Add automated RubyGems/crates.io publishing#694
Open
gjtorikian wants to merge 2 commits intooxidize-rb:mainfrom
Open
Add automated RubyGems/crates.io publishing#694gjtorikian wants to merge 2 commits intooxidize-rb:mainfrom
gjtorikian wants to merge 2 commits intooxidize-rb:mainfrom
Conversation
Collaborator
|
Cool with this in theory, i assume i need to input credentials somewhere? |
Member
Author
|
Yeah, the only credential needed is: You actually don't need to set this as a secret, RubyGems says it's fine to expose publicly. |
Member
Author
|
FWIW there are UI settings for both RubyGems and crates.io that you would need to configure (since you're the owner of those published packages); the links above provide more documentation on what to do there. |
Member
Author
|
bumping this! |
Member
Author
|
@ianks another bump. even without setting up OIDC, you can store your rubygems key as a secret in this repo. point is, I think some sort of deploy automation is warranted. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is an attempt to make publishing to RubyGems and crates.io simpler and more secure.
Ultiamtely, both RubyGems and crates.io support Trusted Publishing. The idea is that rather than one individual using their own auth token to publish updates, the GitHub Actions workflow can request a short lived token from the provider, and use that to issue updates. This should make it simpler for newly merged PRs to be released across RubyGems, crates.io, and Dockerhub.
In the new release.yml here, I propose:
prepare, andrelease.prepare: truegem/lib/rb_sys/version.rb, generates a CHANGELOG entry, and opens a PRAfterwards:
release: truepublish_cratesjob triggers after the new release is made. this pushesrb-sys-build, waits for it to be indexed, then pushesrb-sys, to crates.io using OIDCpublish_gempublishes the gem using OIDCThere needs to be some configuration on the RubyGems and crates.io UI settings to "recognize" this workflow as the source of truth, but that ought to be it. This. brings along an audit trail for releases (via the GitHub Actions logs), credential rotation via OIDC, and supply chain security.