Add Release GitHub Actions workflow

[jgarber623]

Description

This PR adds a GitHub Actions workflow that will build and publish a new version of the gem to RubyGems. The workflow follows the pattern described in RubyGems' "Trusted Publishing" documentation.

The workflow is triggered whenever a new Release is published by anyone with permissions to do so on the project's GitHub repository. This should work for pre-release versions, as well.

Releases may be created via the website or by using the GitHub CLI:

gh release create v0.1.0 --generate-notes

Being sure to swap out v0.1.0 with an appropriate (new or existing) tag, of course. Note that draft releases and/or editing existing releases will not re-trigger this workflow.

[!NOTE] Anyone with the ability to create Releases on this project will be able to indirectly trigger this workflow and publish a new version to RubyGems. It may be worth auditing the "Collaborators" settings on GitHub and the "Ownership" settings on RubyGems.

This commit follows up on my question/comment on #3.

RubyGems Owner To-Do

In order to enable this workflow, a gem owner (@rmosolgo, that'd be you!) will need to configure a Trusted Publisher on RubyGems. This tutorial outlines the necessary steps.

1. Navigate to https://rubygems.org/gems/graphql-client/trusted_publishers
2. Authenticate (if necessary)
3. Click "Create" on the Trusted Publishers page
4. Select "GitHub Actions" as the publisher type
5. You may need to update the repository owner field to point to be "github-community-projects"
6. Set "release.yml" as the workflow name
7. Click "Create Rubygem trusted publisher"

That should be it on the RubyGems side of things.

Suggested Improvement

I didn't add this in the PR, but:

On some of my projects, I re-run my CI workflow before running the job that releases a gem as a last-minute backstop against anything strange happening. You can see that in action in this workflow file (reproduced and modified here):

jobs:
  ci:
    name: CI
    uses: ./.github/workflows/ci.yml
  release:
    name: Release to RubyGems
    permissions:
      contents: write
      id-token: write
    # Run the `ci` job before running the `release` job:
    needs: ci
    # etc. etc. etc.

The ci.yml workflow would need a small update to its trigger configuration to support this:

on:
  push:
  pull_request:
  workflow_call:

Relevant documentation:

• Reusing workflows
• Workflow syntax for GitHub Actions: on.workflow_call

Thanks!

Thanks for considering this change to this gem's workflow. Adopting this process should streamline the development cycle while also maintaining security and trust. Looking forward to your feedback.

[jgarber623]

Oh! Also maybe worth noting:

• The addition of this workflow (and the process changes it introduces) shouldn't preclude you from manually building and pushing a gem on your machine.
• Tangential to this PR, I'd also suggest adding the rubygems_mfa_required setting to this gem's metadata (documentation) and requiring all owners to enable MFA on their RubyGems account.

[rmosolgo]

🎉 0.20.0 is published with MFA from GitHub Actions. Thanks for this improvement! https://rubygems.org/gems/graphql-client/versions/0.20.0

[jgarber623]

@rmosolgo Thats great news! Glad I could help out.