From 78fab4851a52c19bcd174b246309410ef16a32ea Mon Sep 17 00:00:00 2001 From: Samuel Giddins Date: Tue, 19 Nov 2024 13:53:03 -0800 Subject: [PATCH 1/3] Add support for releasing on release published Signed-off-by: Samuel Giddins --- lib/configure_trusted_publisher/cli.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/configure_trusted_publisher/cli.rb b/lib/configure_trusted_publisher/cli.rb index f3e7e44..24ea271 100644 --- a/lib/configure_trusted_publisher/cli.rb +++ b/lib/configure_trusted_publisher/cli.rb @@ -294,10 +294,12 @@ def gemspec def write_release_action(repository, rubygem_name, environment: nil) tag = "Automatically when a new tag matching v* is pushed" manual = "Manually by running a GitHub Action" + release = "Automatically when a new GitHub release is published" puts response = ask_multiple_choice( "How would you like releases for #{rubygem_name} to be triggered?", [ tag, + release, manual ], default: "2" @@ -312,7 +314,12 @@ def write_release_action(repository, rubygem_name, environment: nil) "name: Push Gem", nil, "on:", - " #{response == tag ? "push:\n tags:\n - 'v*'" : 'workflow_dispatch:'}", + (case response + when tag then " push:\n tags:\n - 'v*'" + when release then " release:\n types:\n - published" + when manual then " workflow_dispatch:" + else raise "Unknown response: #{response.inspect}" + end), nil, "permissions:", " contents: read", @@ -331,13 +338,13 @@ def write_release_action(repository, rubygem_name, environment: nil) " steps:", " # Set up", " - name: Harden Runner", - " uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1", + " uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2", " with:", " egress-policy: audit", nil, - " - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4", + " - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2", " - name: Set up Ruby", - " uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0", + " uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.176.0", " with:", " bundler-cache: true", " ruby-version: ruby", From a25d11808f36d90f12f197e28210c8537e31f3f6 Mon Sep 17 00:00:00 2001 From: Samuel Giddins Date: Tue, 19 Nov 2024 13:53:40 -0800 Subject: [PATCH 2/3] Bump configure_trusted_publisher to 0.2.0 --- Gemfile.lock | 2 +- lib/configure_trusted_publisher/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5ae128d..4457eec 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - configure_trusted_publisher (0.1.10) + configure_trusted_publisher (0.2.0) bundler (~> 2.5) command_kit (~> 0.5.5) diff --git a/lib/configure_trusted_publisher/version.rb b/lib/configure_trusted_publisher/version.rb index 1e26eab..a5b8f0f 100644 --- a/lib/configure_trusted_publisher/version.rb +++ b/lib/configure_trusted_publisher/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module ConfigureTrustedPublisher - VERSION = "0.1.10" + VERSION = "0.2.0" end From 51b3cf2434b9498309ad7067493cf06c31808d7f Mon Sep 17 00:00:00 2001 From: Samuel Giddins Date: Tue, 19 Nov 2024 13:57:01 -0800 Subject: [PATCH 3/3] Try publishing with attestations Signed-off-by: Samuel Giddins --- .github/workflows/push_gem.yml | 14 +++++++------- lib/configure_trusted_publisher/cli.rb | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml index 224f46d..551c07e 100644 --- a/.github/workflows/push_gem.yml +++ b/.github/workflows/push_gem.yml @@ -1,9 +1,9 @@ name: Push Gem on: - push: - tags: - - 'v*' + release: + types: + - published permissions: contents: read @@ -24,16 +24,16 @@ jobs: steps: # Set up - name: Harden Runner - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Ruby - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0 with: bundler-cache: true ruby-version: ruby # Release - - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1 + - uses: rubygems/release-gem@e6d709aa18a7ef2f2d758411014ca0077aeac188 diff --git a/lib/configure_trusted_publisher/cli.rb b/lib/configure_trusted_publisher/cli.rb index 24ea271..b3216fa 100644 --- a/lib/configure_trusted_publisher/cli.rb +++ b/lib/configure_trusted_publisher/cli.rb @@ -344,7 +344,7 @@ def write_release_action(repository, rubygem_name, environment: nil) nil, " - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2", " - name: Set up Ruby", - " uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.176.0", + " uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0", " with:", " bundler-cache: true", " ruby-version: ruby",