Skip to content
86 changes: 86 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: Release

on:
push:
tags: ["v*.*.*"]

permissions:
contents: read
Comment on lines +7 to +8

jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout Code
# see https://github.com/actions/checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Ruby
# see https://github.com/ruby/setup-ruby
uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
with:
ruby-version: '3.3.9'
bundler-cache: false
- name: Install Dependencies
run: bundle install
- name: Run the default task
run: bundle exec rake

rubygems_release:
name: RubyGems Release
if: github.repository == 'CycloneDX/cyclonedx-ruby-gem'
runs-on: ubuntu-latest
timeout-minutes: 10
needs: test
permissions:
contents: write # Required for `rake release` to perform git synchronization.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. This CI job follows the rubygems/release-gem usage documentation. Although actions/checkout is configured with persist-credentials: false, the rubygems/release-gem action configures Git authentication itself using github.token (its token input defaults to ${{ github.token }}). See:

https://github.com/rubygems/release-gem#usage
https://github.com/rubygems/release-gem/blob/v1/action.yml#L10

id-token: write # Required for Trusted Publishing authentication.
environment: release
steps:
- name: Checkout Code
# see https://github.com/actions/checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Ruby
# see https://github.com/ruby/setup-ruby
uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
with:
ruby-version: ruby
bundler-cache: false
- name: "Push gem to RubyGems"
# see https://github.com/rubygems/release-gem
uses: rubygems/release-gem@6317d8d1f7e28c24d28f6eff169ea854948bd9f7 # v1.2.0

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a comment with the action's URL for easier docks lookup when maintaining.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in da61dd3. Thanks for the suggestion.


github_release:
name: GitHub Release
if: github.repository == 'CycloneDX/cyclonedx-ruby-gem'
runs-on: ubuntu-latest
timeout-minutes: 10
needs: rubygems_release
environment: release
# Needed for `gh release create` because GitHub Releases require write access
# to repository contents, which is not granted by default with GITHUB_TOKEN.
permissions:
contents: write

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a comment why this permission is needed

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in e3c2541. Thanks for the suggestion.

steps:
- name: Checkout Code
# see https://github.com/actions/checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Create GitHub Release

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could the release have the gem as a release asset?
It would be ideal to use the one produced in the rubygems_release job - you could use https://docs.github.com/en/actions/concepts/workflows-and-actions/workflow-artifacts to transfer a file from one job to the other. (artifact lifetime of 1 day should be enough)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be okay with deferring this for now? I don't think it's necessary to include the built gem in the GitHub release since it'll already be published to RubyGems, and anyone can build it from the release assets. AFAIK, rubygems/release-gem does not produce a build artifact, so we'd need to add additional steps to build the gem and upload it separately.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just artifact pkg/*.gem at the end of the rubygems_release should work, right?

I mean, rubygems/release-gem does not do any magic, it just calls bundle exec rake release which will cause emitting files pkg/*.gem.
see https://github.com/rubygems/release-gem/blob/052cc82692552de3ef2b81fd670e41d13cba8092/action.yml#L60-L67

run: |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please rework this to

run: >
  gh release create ...
  --verify-tag
  ...

declare -a FLAGS=("--verify-tag" "--generate-notes")

# Determine release type from tag suffix
if [[ "$GITHUB_REF_NAME" =~ -(alpha|beta|rc|pre)[0-9.]*$ ]]; then
FLAGS+=("--prerelease")
fi

# Publish the release on GitHub with auto-generated release notes
gh release create "${FLAGS[@]}" -- "$GITHUB_REF_NAME"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}