From ed1c84b88be62e64446992775d5ba034decd5344 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Tue, 12 Nov 2024 18:41:01 +0900 Subject: [PATCH] Configure RubyGems Trusted Publishing Added .github/workflows/push_gem.yml based on that of net-imap and psych. If nothing goes wrong, pushing a tag named v* should publish openssl-*.gem and openssl-*-java.gem to rubygems.org, and create a draft GitHub release. --- .github/workflows/push_gem.yml | 51 ++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/push_gem.yml diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml new file mode 100644 index 000000000..a6edb9312 --- /dev/null +++ b/.github/workflows/push_gem.yml @@ -0,0 +1,51 @@ +name: Publish gem to rubygems.org + +on: + push: + tags: + - 'v*' + +permissions: + contents: read + +jobs: + push: + if: github.repository == 'ruby/openssl' + runs-on: ubuntu-latest + + environment: + name: rubygems.org + url: https://rubygems.org/gems/openssl + + permissions: + contents: write + id-token: write + + strategy: + matrix: + ruby: [ 'ruby', 'jruby' ] + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@v4 + + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + bundler-cache: true + ruby-version: ${{ matrix.ruby }} + + - name: Publish to RubyGems + uses: rubygems/release-gem@v1 + + - name: Create GitHub release + run: | + tag_name="$(git describe --tags --abbrev=0)" + gh release create "${tag_name}" --verify-tag --draft --generate-notes pkg/*.gem + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: matrix.ruby == 'ruby'