http/.github/workflows/gem_push.yml at main · httprb/http · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Push gem to RubyGems

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  push:
    if: github.repository == 'httprb/http'
    runs-on: ubuntu-latest
    environment:
      name: rubygems.org
      url: https://rubygems.org/gems/http
    permissions:
      contents: write
      id-token: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - ruby: ruby
            platform: ""
          - ruby: jruby
            platform: java

    env:
      BUNDLE_WITHOUT: sig

    steps:
      - uses: actions/checkout@v6
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
      - uses: rubygems/configure-rubygems-credentials@v1.0.0
      - name: Update RubyGems
        run: gem update --system
      - name: Build gem
        run: gem build http.gemspec
        env:
          HTTP_PLATFORM: ${{ matrix.platform }}
      # Sigstore signing always runs under CRuby. JRuby 10.0.5+'s
      # jruby-openssl 0.15.7 added tbs_bytes, which triggers a code
      # path in sigstore-ruby 0.2.3 that fails because JRuby's
      # OpenSSL returns the SCT extension OID as its dotted form
      # instead of the short name sigstore-ruby expects.
      - name: Set up CRuby for signing
        if: matrix.ruby != 'ruby'
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ruby
      - name: Sign gem with Sigstore
        run: |
          for gem in http-*.gem; do
            gem exec sigstore-cli sign "$gem" --bundle "${gem%.gem}.gem.sigstore.json"
          done
      - name: Push gem
        run: |
          for gem in http-*.gem; do
            gem push "$gem" --attestation "${gem%.gem}.gem.sigstore.json" || {
              echo "gem push failed — checking if already published"
              gem exec rubygems-await "$gem" && echo "Already published, continuing" || exit 1
            }
          done
      - name: Wait for release
        run: gem exec rubygems-await http-*.gem
        env:
          HTTP_PLATFORM: ${{ matrix.platform }}
      - name: Create GitHub release
        if: matrix.ruby == 'ruby'
        run: |
          tag_name="$(git describe --tags --abbrev=0)"
          gh release view "${tag_name}" >/dev/null 2>&1 || \
            gh release create "${tag_name}" --verify-tag --generate-notes
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}