Skip to content

Commit c9e861a

Browse files
committed
Update release workflow to configure RubyGems credentials and remove API key requirement
1 parent 91b571c commit c9e861a

2 files changed

Lines changed: 7 additions & 3 deletions

File tree

.github/workflows/release.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ on:
1717

1818
permissions:
1919
contents: write
20+
id-token: write
2021

2122
concurrency:
2223
group: release-${{ github.event.inputs.tag || github.ref_name || github.sha }}
@@ -111,14 +112,17 @@ jobs:
111112
echo 'exists=false' >> "$GITHUB_OUTPUT"
112113
fi
113114
115+
- name: Configure RubyGems credentials
116+
if: steps.rubygems.outputs.exists != 'true'
117+
uses: rubygems/configure-rubygems-credentials@main
118+
114119
- name: Publish gem to RubyGems
115120
if: steps.rubygems.outputs.exists != 'true'
116121
env:
117-
GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_AUTH_TOKEN }}
118122
RELEASE_VERSION: ${{ steps.release.outputs.version }}
119123
run: |
120124
if [ -z "$GEM_HOST_API_KEY" ]; then
121-
echo 'Missing RUBYGEMS_AUTH_TOKEN secret.'
125+
echo 'RubyGems trusted publishing did not provide GEM_HOST_API_KEY.'
122126
exit 1
123127
fi
124128

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,7 @@ The `Update bundle` workflow runs monthly and can also be started manually from
211211

212212
The `Release gem` workflow publishes to RubyGems when a tag like `v1.6.12` is pushed. It also runs when `lib/cloudstack-cli/version.rb` changes on `main`, creates the matching tag automatically, verifies the gem loads and builds, and publishes that version. You can also trigger it manually from the Actions tab with a release tag like `v1.6.12`; if the tag does not exist yet, the workflow creates it from the selected branch before publishing, and if it already exists the workflow reuses that tag.
213213

214-
Add the `RUBYGEMS_API_KEY` repository secret before using the release workflow.
214+
The release workflow uses RubyGems trusted publishing via GitHub OIDC, so no RubyGems API key secret is required. The gem must already be configured with this repository as a trusted publisher on RubyGems.org.
215215

216216
Typical release flow:
217217

0 commit comments

Comments
 (0)