Comments (4)
This ticket does not include any provenance/SLSA, or sigstore/signing. This ticket is purely about getting the invocation streamlined. We still need to create tickets (separate from this one, and that will not be blocked by this one) that describe how provenance/SLSA and sigstore/signing are going to work on both the GitHub actions and RubyGems.org sides.
from rubygems.org.
I am ok with simply having that single option, and offering anyone who wants to customize that they can copy and paste the contents from rubygems/release
(eg the top code block in this ticket) and customize from there.
If you think it would be better to have composable/replaceable pieces for the flow, I could imagine a hypothetical steps
for the rubygems/publish
action that could look something like this:
steps:
# Set up
- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
bundler-cache: true
ruby-version: ruby
# Release
- uses: rubygems/[email protected]
- uses: rubygems/release@v1
- name: Wait for release to propagate
run: gem exec rubygems-await -- pkg/*.gem
And then hypothetical steps for rubygems/release
could look something like this:
steps:
- name: Set remote URL
run: |
# Attribute commits to the last committer on HEAD
git config --global user.email "$(git log -1 --pretty=format:'%ae')"
git config --global user.name "$(git log -1 --pretty=format:'%an')"
git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY"
- name: Release
run: bundle exec rake release
Given that we haven't yet built the separated SLSA-compliant workflows that will have to be separate, I am also happy to wait on dividing the separate and composable pieces until we build that and know where those should be.
In the meantime, I think we need to ship trusted publishing with a default, happy-path, CI-based option that is on par with the simplicity of the CLI's bundle exec rake release
command, to encourage developers to use that instead of continuing to run the releases from their laptop because it feels less complicated.
from rubygems.org.
Notes from discussion:
- action name most likely
rubygems/release-gem
- no SLSA or sigstore components
- only covers the happy path, if you need customization please feel free to copy out the contents into your own workflow and adjust as needed
- goal is to be as easy as
bundle exec rake release
but for CI-based trusted publishing
from rubygems.org.
https://github.com/rubygems/release-gem
from rubygems.org.
Related Issues (20)
- Event audit log for significant actions
- WebAuthn appears to be hanging. HOT 2
- Menu Javascript broken, logging out impossible HOT 2
- "All versions of #{gem} since #{date}" has paginated date
- In development, LetterOpener web `/letter_opener` is broken/unusable due to Content Security Policy HOT 1
- Add date of last release to search results page HOT 1
- Error importing gems for local development HOT 2
- Has the sorting on rubygems.org profiles been changed recently? HOT 3
- Alternative to @rubygems_status on Twitter HOT 4
- Changing dependencies didn't change it on the gem page HOT 2
- Remove or replace Twitter/X from email footer HOT 1
- Dashboard Atom feed link broken HOT 2
- Display last released version HOT 6
- Versions published more than 30 days ago cannot be deleted. Please contact RubyGems support to request deletion of this version if it represents a legal or security risk. HOT 1
- Status page header displaying broken help.rubygems.org link
- Improve statistics for downloads HOT 8
- Improve "Access Denied" message by distinguishing "no key" vs "unknown key"
- Allow users to mark gems as no longer being maintained.
- Webauthn CLI login could be much easier
- Refactor permissions to use Pundit for all controlled actions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rubygems.org.