Merge pull request #98 from github/gem-updates #35

Workflow file for this run

.github/workflows/release.yml at 4458fc0

	name: release

	on:
	workflow_dispatch:
	push:
	branches:
	- main
	paths:
	- lib/hooks/version.rb

	permissions: {}

	jobs:
	build:
	if: github.repository == 'github/hooks'
	permissions:
	contents: read
	runs-on: ubuntu-latest
	outputs:
	artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
	gem_name: ${{ steps.build.outputs.gem_name }}
	gem_version: ${{ steps.build.outputs.gem_version }}
	gem_path: ${{ steps.build.outputs.gem_path }}
	artifact_dir: ${{ steps.build.outputs.artifact_dir }}

	steps:
	- name: checkout
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # [email protected]
	with:
	persist-credentials: false

	- uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # [email protected]
	with:
	bundler-cache: false

	- name: bootstrap
	run: script/bootstrap

	# IMPORTANT: this step MUST export for the following outputs:
	# gem_name: the name of the gem - ex: "my-cool-gem"
	# gem_version: the version of the gem - ex: "1.0.0"
	# gem_path: the path/filename of the gem - ex: "my-cool-gem-1.0.0.gem"
	# artifact_dir: the path to the dir where artifacts are stored - ex: "dist"
	- name: build
	id: build
	run: script/build

	- name: upload artifact
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # [email protected]
	id: upload-artifact
	with:
	name: ${{ steps.build.outputs.artifact_dir }}
	path: ${{ steps.build.outputs.artifact_dir }}
	if-no-files-found: error

	release:
	needs: build
	environment: release
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # [email protected]
	with:
	persist-credentials: false

	- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # [email protected]
	with:
	artifact-ids: ${{ needs.build.outputs.artifact-id }}
	path: ${{ needs.build.outputs.artifact_dir }}

	- name: view artifact
	env:
	ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
	run: tree -L 2 -a --dirsfirst -C -F -h -D "${ARTIFACT_PATH}"

	- name: Publish to GitHub Packages
	env:
	OWNER: ${{ github.repository_owner }}
	GEM_NAME: ${{ needs.build.outputs.gem_name }}
	GEM_VERSION: ${{ needs.build.outputs.gem_version }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
	run: \|
	GEM_HOST_API_KEY=${GITHUB_TOKEN} gem push --key github --host https://rubygems.pkg.github.com/${OWNER} $ARTIFACT_PATH/${GEM_NAME}-${GEM_VERSION}.gem

	- uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # [email protected]
	with:
	bundler-cache: false

	- name: bootstrap
	run: script/bootstrap

	- name: Configure RubyGems Credentials
	uses: rubygems/configure-rubygems-credentials@89fa1f8ddec96dc9a57f448b9eaadbdf531f50e2 # pin@main

	- name: sign ruby gem
	env:
	GEM_NAME: ${{ needs.build.outputs.gem_name }}
	GEM_VERSION: ${{ needs.build.outputs.gem_version }}
	ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
	run: bundle exec sigstore-cli sign ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --bundle ${GEM_NAME}-${GEM_VERSION}.sigstore.json

	- name: Publish to RubyGems
	env:
	GEM_NAME: ${{ needs.build.outputs.gem_name }}
	GEM_VERSION: ${{ needs.build.outputs.gem_version }}
	ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
	run: gem push ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --attestation ${GEM_NAME}-${GEM_VERSION}.sigstore.json

	- name: await gem
	env:
	GEM_NAME: ${{ needs.build.outputs.gem_name }}
	GEM_VERSION: ${{ needs.build.outputs.gem_version }}
	run: bundle exec rubygems-await "${GEM_NAME}:${GEM_VERSION}" --timeout 300

	- name: GitHub Release
	env:
	GEM_NAME: ${{ needs.build.outputs.gem_name }}
	GEM_VERSION: ${{ needs.build.outputs.gem_version }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
	run: \|
	gh release create "v${GEM_VERSION}" \
	"${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem" \
	"${GEM_NAME}-${GEM_VERSION}.sigstore.json" \
	--title "v${GEM_VERSION}" \
	--generate-notes

	sign:
	needs: [build, release]
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	attestations: write
	contents: read

	steps:
	- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # [email protected]
	with:
	path: ${{ needs.build.outputs.artifact_dir }}
	artifact-ids: ${{ needs.build.outputs.artifact-id }}

	- name: attest build provenance
	uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # [email protected]
	with:
	subject-path: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}"

	verify:
	permissions: {}
	needs: [build, release, sign]
	runs-on: ubuntu-latest

	steps:
	- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # [email protected]
	with:
	path: ${{ needs.build.outputs.artifact_dir }}
	artifact-ids: ${{ needs.build.outputs.artifact-id }}

	- name: verify
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	OWNER: ${{ github.repository_owner }}
	REPO: ${{ github.event.repository.name }}
	ARTIFACT_PATH: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}"
	run: gh attestation verify "$ARTIFACT_PATH" --repo ${OWNER}/${REPO} --signer-workflow ${OWNER}/${REPO}/.github/workflows/release.yml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #98 from github/gem-updates #35

Workflow file

Merge pull request #98 from github/gem-updates #35

Uh oh!

Workflow file for this run