Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Release GitHub Actions workflow #8

Merged
merged 1 commit into from
Feb 8, 2024
Merged

Add Release GitHub Actions workflow #8

merged 1 commit into from
Feb 8, 2024

Conversation

jgarber623
Copy link
Contributor

Description

This PR adds a GitHub Actions workflow that will build and publish a new version of the gem to RubyGems. The workflow follows the pattern described in RubyGems' "Trusted Publishing" documentation.

The workflow is triggered whenever a new Release is published by anyone with permissions to do so on the project's GitHub repository. This should work for pre-release versions, as well.

Releases may be created via the website or by using the GitHub CLI:

gh release create v0.1.0 --generate-notes

Being sure to swap out v0.1.0 with an appropriate (new or existing) tag, of course. Note that draft releases and/or editing existing releases will not re-trigger this workflow.

Note

Anyone with the ability to create Releases on this project will be able to indirectly trigger this workflow and publish a new version to RubyGems. It may be worth auditing the "Collaborators" settings on GitHub and the "Ownership" settings on RubyGems.

This commit follows up on my question/comment on #3.

RubyGems Owner To-Do

In order to enable this workflow, a gem owner (@rmosolgo, that'd be you!) will need to configure a Trusted Publisher on RubyGems. This tutorial outlines the necessary steps.

  1. Navigate to https://rubygems.org/gems/graphql-client/trusted_publishers
  2. Authenticate (if necessary)
  3. Click "Create" on the Trusted Publishers page
  4. Select "GitHub Actions" as the publisher type
  5. You may need to update the repository owner field to point to be "github-community-projects"
  6. Set "release.yml" as the workflow name
  7. Click "Create Rubygem trusted publisher"

That should be it on the RubyGems side of things.

Suggested Improvement

I didn't add this in the PR, but:

On some of my projects, I re-run my CI workflow before running the job that releases a gem as a last-minute backstop against anything strange happening. You can see that in action in this workflow file (reproduced and modified here):

jobs:
  ci:
    name: CI
    uses: ./.github/workflows/ci.yml
  release:
    name: Release to RubyGems
    permissions:
      contents: write
      id-token: write
    # Run the `ci` job before running the `release` job:
    needs: ci
    # etc. etc. etc.

The ci.yml workflow would need a small update to its trigger configuration to support this:

on:
  push:
  pull_request:
  workflow_call:

Relevant documentation:

Thanks!

Thanks for considering this change to this gem's workflow. Adopting this process should streamline the development cycle while also maintaining security and trust. Looking forward to your feedback.

@jgarber623
Add Release GitHub Actions workflow
12f69f4 
This commit adds a GitHub Actions workflow that will build and publish a
new version of the gem to RubyGems. The workflow follows the pattern
described in RubyGems' "Trusted Publishing" documentation [1].

The workflow is triggered whenever a new Release is published by anyone
with permissions to do so on the project's GitHub repository. This
should work for pre-release versions, as well.

Releases may be created via the website [2] or by using the GitHub CLI:

```sh
gh release create v0.1.0 --generate-notes
```

Being sure to swap out `v0.1.0` with an appropriate (new or existing)
tag, of course. Note that draft releases and/or editing existing
releases will not re-trigger this workflow.

This commit follows up on my question/comment [3] on #3.

[1] https://guides.rubygems.org/trusted-publishing/releasing-gems/
[2] https://github.com/github-community-projects/graphql-client/releases
[3] #3 (comment)
@jgarber623
Copy link
Contributor Author

Oh! Also maybe worth noting:

  • The addition of this workflow (and the process changes it introduces) shouldn't preclude you from manually building and pushing a gem on your machine.
  • Tangential to this PR, I'd also suggest adding the rubygems_mfa_required setting to this gem's metadata (documentation) and requiring all owners to enable MFA on their RubyGems account.

@rmosolgo rmosolgo merged commit 679ad50 into github-community-projects:master Feb 8, 2024
21 checks passed
@rmosolgo
Copy link
Collaborator

rmosolgo commented Feb 8, 2024
edited
Loading

🎉 0.20.0 is published with MFA from GitHub Actions. Thanks for this improvement! https://rubygems.org/gems/graphql-client/versions/0.20.0

@jgarber623 jgarber623 deleted the add-release-workflow branch February 9, 2024 02:17
@jgarber623
Copy link
Contributor Author

@rmosolgo Thats great news! Glad I could help out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jgarber623 @rmosolgo