search

rubygems / rubygems.org

The Ruby community's gem hosting service.
https://rubygems.org
MIT License
2.33k stars 924 forks source link

Trusted Publishing with reusable workflow #4294

Open segiddins opened 10 months ago

segiddins commented 10 months ago 
          Hi. Let me ask about Trusted Publishing here since I can't find where to ask.

(Please tell me a different place if my question is inappropriate 🙏🏼 )

First, my try in the suggested way by the RubyGems document was successful! 🎉 (For details, see my repo's Actions log)

However, my try through a reusable workflow failed, unfortunately. I'm not sure about the failure cause, but rubygems/configure-rubygems-credentials failed with the following error:

No trusted publisher configured for this workflow found on https://rubygems.org/ for audience rubygems.org

See also the failure Actions log.

Here's a part of my Actions workflow settings:

# .github/workflows/release.yml in the gem repository
jobs:
  release:
    uses: ybiquitous/.github/.github/workflows/ruby-release-reusable.yml@new-ruby-release
# The sharable workflow in a different repository
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Ruby ${{ inputs.ruby-version }}
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ inputs.ruby-version }}
          bundler-cache: true
      - name: Publish gem to RubyGems.org
        uses: rubygems/release-gem@v1

For the sharable workflow code, see https://github.com/ybiquitous/.github/pull/31/files.

In short, is Trusted Publishing unsupported in a sharable workflow?

Last, this feature is fantastic! Thanks a lot. 👏🏼

Originally posted by @ybiquitous in https://github.com/rubygems/rubygems.org/issues/4285#issuecomment-1855990785

segiddins commented 10 months ago

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows#how-the-token-works-with-reusable-workflows dropping this here for my future reference.

woodruffw commented 10 months ago

Another possibly useful cross-reference: https://github.com/pypi/warehouse/issues/11096

segiddins commented 10 months ago

@ybiquitous there's some work we'd have to do here to support re-usable workflows outside of the calling repository.

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow (and be the job_workflow_ref as well if the reusable workflow is not specified).

ybiquitous commented 10 months ago

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow

I'm okay if reusable workflows are supported. 👌🏼