Push Gem #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Trusted publishing to RubyGems.org (OIDC). Configure a pending publisher at: | |
| # https://rubygems.org/profile/oidc/pending_trusted_publishers | |
| # Workflow file name and repository must match RubyGems trusted publisher settings. | |
| # See https://guides.rubygems.org/trusted-publishing/pushing-a-new-gem/ | |
| # and https://guides.rubygems.org/trusted-publishing/releasing-gems/ | |
| name: Push Gem | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| # GitHub does not start new workflow runs for events caused by the default | |
| # GITHUB_TOKEN (e.g. gh release create in another workflow). After | |
| # "Release on merge" creates a release, trigger this workflow instead. | |
| workflow_run: | |
| workflows: [Release on merge] | |
| types: [completed] | |
| permissions: | |
| contents: read | |
| jobs: | |
| gate: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| publish: ${{ steps.decide.outputs.publish }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| if: github.event_name == 'workflow_run' | |
| with: | |
| ref: main | |
| - id: decide | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| if [[ "${{ github.event_name }}" != "workflow_run" ]]; then | |
| echo "publish=true" >> "${GITHUB_OUTPUT}" | |
| exit 0 | |
| fi | |
| if [[ "${{ github.event.workflow_run.conclusion }}" != "success" ]]; then | |
| echo "publish=false" >> "${GITHUB_OUTPUT}" | |
| exit 0 | |
| fi | |
| VERSION="$(ruby -r ./lib/ruby_proxy_headers/version.rb -e 'puts RubyProxyHeaders::VERSION')" | |
| TAG="v${VERSION}" | |
| if gh release view "${TAG}" --repo "${{ github.repository }}" >/dev/null 2>&1; then | |
| echo "publish=true" >> "${GITHUB_OUTPUT}" | |
| else | |
| echo "No GitHub release ${TAG} yet (or release job was skipped); skipping gem push." | |
| echo "publish=false" >> "${GITHUB_OUTPUT}" | |
| fi | |
| push: | |
| needs: gate | |
| if: >- | |
| github.repository == 'proxymesh/ruby-proxy-headers' && | |
| needs.gate.outputs.publish == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event_name == 'workflow_run' && 'main' || github.ref }} | |
| persist-credentials: false | |
| - name: Verify release tag matches gem version | |
| if: github.event_name == 'release' | |
| env: | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| VERSION=$(ruby -r ./lib/ruby_proxy_headers/version.rb -e 'puts RubyProxyHeaders::VERSION') | |
| if [ "v${VERSION}" != "${REF_NAME}" ]; then | |
| echo "Release tag must be v${VERSION} (RubyProxyHeaders::VERSION); got ${REF_NAME}" >&2 | |
| exit 1 | |
| fi | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| bundler-cache: true | |
| ruby-version: ruby | |
| - uses: rubygems/release-gem@v1 |