Add Release GitHub Actions workflow

jgarber623 commented 10 months ago

Description

This PR adds a GitHub Actions workflow that will build and publish a new version of the gem to RubyGems. The workflow follows the pattern described in RubyGems' "Trusted Publishing" documentation.

The workflow is triggered whenever a new Release is published by anyone with permissions to do so on the project's GitHub repository. This should work for pre-release versions, as well.

Releases may be created via the website or by using the GitHub CLI:

gh release create v0.1.0 --generate-notes

Being sure to swap out v0.1.0 with an appropriate (new or existing) tag, of course. Note that draft releases and/or editing existing releases will not re-trigger this workflow.

[!NOTE] Anyone with the ability to create Releases on this project will be able to indirectly trigger this workflow and publish a new version to RubyGems. It may be worth auditing the "Collaborators" settings on GitHub and the "Ownership" settings on RubyGems.

This commit follows up on my question/comment on #3.

RubyGems Owner To-Do

In order to enable this workflow, a gem owner (@rmosolgo, that'd be you!) will need to configure a Trusted Publisher on RubyGems. This tutorial outlines the necessary steps.

Navigate to https://rubygems.org/gems/graphql-client/trusted_publishers
Authenticate (if necessary)
Click "Create" on the Trusted Publishers page
Select "GitHub Actions" as the publisher type
You may need to update the repository owner field to point to be "github-community-projects"
Set "release.yml" as the workflow name
Click "Create Rubygem trusted publisher"

That should be it on the RubyGems side of things.

Suggested Improvement

I didn't add this in the PR, but:

On some of my projects, I re-run my CI workflow before running the job that releases a gem as a last-minute backstop against anything strange happening. You can see that in action in this workflow file (reproduced and modified here):

jobs:
  ci:
    name: CI
    uses: ./.github/workflows/ci.yml
  release:
    name: Release to RubyGems
    permissions:
      contents: write
      id-token: write
    # Run the `ci` job before running the `release` job:
    needs: ci
    # etc. etc. etc.

The ci.yml workflow would need a small update to its trigger configuration to support this:

on:
  push:
  pull_request:
  workflow_call:

Relevant documentation:

Thanks!

Thanks for considering this change to this gem's workflow. Adopting this process should streamline the development cycle while also maintaining security and trust. Looking forward to your feedback.

jgarber623 commented 10 months ago

Oh! Also maybe worth noting:

The addition of this workflow (and the process changes it introduces) shouldn't preclude you from manually building and pushing a gem on your machine.
Tangential to this PR, I'd also suggest adding the rubygems_mfa_required setting to this gem's metadata (documentation) and requiring all owners to enable MFA on their RubyGems account.

rmosolgo commented 9 months ago

🎉 0.20.0 is published with MFA from GitHub Actions. Thanks for this improvement! https://rubygems.org/gems/graphql-client/versions/0.20.0

jgarber623 commented 9 months ago

@rmosolgo Thats great news! Glad I could help out.

github-community-projects / graphql-client