Import trusted publisher jobs from ruby/psych#844
Conversation
I don't really like publishing gems from github. I find the workflow pretty annoying compared to But if you think this is important, I can do it. However I'd recommend modifying the Gemfile so that if I run |
| run: | | ||
| sudo apt install default-jdk maven | ||
| gem update --system | ||
| gem install ruby-maven rake-compiler --no-document |
There was a problem hiding this comment.
Are we sure we need this? rake-compiler is already in the gemfile, and I don't remember ever needing to install ruby-maven.
There was a problem hiding this comment.
I'm also worried gem install over using the gemfile may break with some update.
|
Also please update the release procedure in the readme: https://github.com/ruby/json?tab=readme-ov-file#release |
| - name: Install dependencies | ||
| run: bundle install --jobs 4 --retry 3 |
There was a problem hiding this comment.
You can combine this with the name: Set up Ruby step. e.g.
- name: Set up Ruby ${{ matrix.ruby }}
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: trueThere was a problem hiding this comment.
I know that but jruby sometimes failed bundle install and build steps while ruby/setup-ruby.
There was a problem hiding this comment.
Yeah, it's very annoying.... But I just pushed that change on regular CI and it seems to work?
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
|
|
||
| - name: Set up Ruby | ||
| uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c # v1.237.0 |
There was a problem hiding this comment.
You might need to use setup-ruby-pkg because JRuby needs ragel:
- name: Set up Ruby
uses: ruby/setup-ruby-pkgs@v1
with:
ruby-version: ${{ matrix.ruby }}
apt-get: "${{ startsWith(matrix.ruby, 'jruby') && 'ragel' || '' }}"
brew: "${{ startsWith(matrix.ruby, 'jruby') && 'ragel' || '' }}"
I'm surprised to hear that from you. I'm okay to withdraw this PR now. I'm working to expand to sign with Thanks! |
|
We can sign sigstore without github actions:
|
Ahah, not sure why :) What annoys me with GitHub release is that it's just extra steps since I already maintain Granted with your PR, creating the GitHub release would trigger the build and release process so at least it would be better, but then my annoyance is that I nee to push a commit that bump the version and update the CHANGELOG.md, and then go do some clicking. What would be great DX I think is if that action triggered automatically on pushes to |
|
Is there some existing test repo I could use to try to implement automatic release? |
The logic was quite simple: https://github.com/Shopify/shipit-engine/blob/5cf498b2f334bfa68ff86e93f838e9bf1590b797/lib/snippets/release-gem#L46-L61 The task first check if the current version is already publish, and if that's the case just noop and succeed. |
Agreed. Because I replaced changelog file to GitHub releases on repositories that enabled trusted publisher. My release workflow is:
There is no test repo now. I always tagged |
Alright, I'll try to see if I can implement a seemless workflow, and if not we can reopen this PR. I appreciate that you are closing for my convenience, but I'm fine making my life a bit harder if it improves the ecosystem. |
2 participants
I would like to apply signing sigstore to
jsongem.https://guides.rubygems.org/trusted-publishing/
According to https://segiddins.github.io/are-we-attested-yet/, it is clear that many gems still do not use sigstore including
json. It improves to protect supply-chain attack in long term.This PR prepare to use sigstore via
release-gemworkflow. This workflow will trigger to publish, signing and create GH release for ruby and jruby when we push new version tag likevX.Y.Z.@byroot How about this?