Skip to content

Add automated RubyGems/crates.io publishing #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gjtorikian wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add automated RubyGems/crates.io publishing #694

gjtorikian wants to merge 2 commits into from
+203 −59

Conversation

@gjtorikian
Copy link
Member

@gjtorikian gjtorikian commented Jan 2, 2026
edited
Loading

This PR is an attempt to make publishing to RubyGems and crates.io simpler and more secure.

Ultiamtely, both RubyGems and crates.io support Trusted Publishing. The idea is that rather than one individual using their own auth token to publish updates, the GitHub Actions workflow can request a short lived token from the provider, and use that to issue updates. This should make it simpler for newly merged PRs to be released across RubyGems, crates.io, and Dockerhub.

In the new release.yml here, I propose:

  • a workflow dispatch with two inputs, prepare, and release.
  • once a new version is ready to be released, one would go to the GitHub Actions UI and toggle the workflow with prepare: true
  • this examines the new version number defined in gem/lib/rb_sys/version.rb, generates a CHANGELOG entry, and opens a PR
  • the PR can be modified and merged at will

Afterwards:

  • the same workflow is run with release: true
  • this creates a new tag, pushes it, and publishes a GitHub release with that tag
  • docker.yml recognizes the new tag, and pushes the images to Dockerhub
  • as well, the publish_crates job triggers after the new release is made. this pushes rb-sys-build, waits for it to be indexed, then pushes rb-sys, to crates.io using OIDC
  • once the crates are pushed, publish_gem publishes the gem using OIDC

There needs to be some configuration on the RubyGems and crates.io UI settings to "recognize" this workflow as the source of truth, but that ought to be it. This. brings along an audit trail for releases (via the GitHub Actions logs), credential rotation via OIDC, and supply chain security.

@ianks
Copy link
Collaborator

ianks commented Jan 5, 2026

Cool with this in theory, i assume i need to input credentials somewhere?

@gjtorikian
Copy link
Member Author

gjtorikian commented Jan 5, 2026

Yeah, the only credential needed is: role-to-assume: ${{ secrets.RUBYGEMS_OIDC_ROLE }}

You actually don't need to set this as a secret, RubyGems says it's fine to expose publicly.

@gjtorikian
Copy link
Member Author

gjtorikian commented Jan 5, 2026

FWIW there are UI settings for both RubyGems and crates.io that you would need to configure (since you're the owner of those published packages); the links above provide more documentation on what to do there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian @ianks