[PROF-11827] Bootstrap publishing ruby gem from CI using trusted publishing (#1067)

**What does this PR do?**

This PR bootstraps a new GitHub workflow to publish the `libdatadog`
Ruby gem directly from CI and using
[trusted publishing](https://guides.rubygems.org/trusted-publishing/).

It's not fully set up completely, as I'm having trouble testing
the authentication part, I suspect because I'm working off a branch
and because the workflow does not yet exist on main.

Note also that I've set up a `publish-ruby` environment in
https://github.com/datadog/libdatadog/settings/environments which
can be used to control who can run this action.

**Motivation:**

Replace our current release approach that requires manually accessing
authentication keys to one that's fully automated and verified.

**Additional Notes:**

N/A

**How to test the change?**

As I said above, this is not yet fully wired up. Also, on purpose
I've disabled the step where we would upload actual packages until
we can fully validate everything is working fine.

Author: ivoanjo

.github/workflows/publish-ruby.yml

@@ -0,0 +1,22 @@
+name: Publish Ruby gem
+on: workflow_dispatch
+
+concurrency: "publish-ruby" # Only one publish job at a time
+
+jobs:
+  publish-ruby:
+    name: Build and push gem to RubyGems.org
+    runs-on: ubuntu-24.04
+    environment: "publish-ruby" # see: https://github.com/datadog/libdatadog/settings/environments
+    permissions:
+      id-token: write # Required for trusted publishing, see https://github.com/rubygems/release-gem
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@e34163cd15f4bb403dcd72d98e295997e6a55798 # v1.238.0
+        with:
+          ruby-version: 'ruby'
+      - name: Install dependencies
+        working-directory: ruby
+        run: bundle install
+      - uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1

rakefile.rb

@@ -0,0 +1,8 @@
+# This file is used so that the Ruby `rake` command can be used from the root of the repository.
+# This is needed for the publish-ruby.yml CI workflow to work.
+
+require "rake"
+
+Dir.chdir("ruby")
+Rake.application.add_import("Rakefile")
+Rake.application.load_imports

ruby/README.md

@@ -3,9 +3,6 @@
 `libdatadog` provides a shared library containing common code used in the implementation of Datadog's libraries,
 including [Continuous Profilers](https://docs.datadoghq.com/tracing/profiler/).
 
-(In a past life, `libdatadog` was known as [`libddprof`](https://github.com/datadog/libddprof) but it was renamed when
-we decided to increase its scope).
-
 **NOTE**: If you're building a new Datadog library/profiler or want to contribute to Datadog's existing tools, you've come to the
 right place!
 Otherwise, this is possibly not the droid you were looking for.
@@ -19,20 +16,18 @@ You can also run `bundle exec pry` for an interactive prompt that will allow you
 
 You can use `bundle exec rake package` to generate packages locally without publishing them.
 
-TIP: If the test that checks for permissions ("gem release process ... sets the right permissions on the gem files"), you
+TIP: If the test that checks for permissions ("gem release process ... sets the right permissions on the gem files"), fails you
 may need to run `umask 0022 && bundle exec rake package` so that the generated packages have the correct permissions.
 
 ## Releasing a new version to rubygems.org
 
-Note: No Ruby needed to run this! It all runs inside docker :)
-
-Note: Publishing new releases to rubygems.org can only be done by Datadog employees.
+Note: No Ruby needed to run this! It all runs in CI!
 
 1. [ ] Locate the new libdatadog release on GitHub: <https://github.com/datadog/libdatadog/releases>
 2. [ ] Update the `LIB_GITHUB_RELEASES` section of the `Rakefile` with the hashes from the new version
 3. [ ] Update the <lib/libdatadog/version.rb> file with the `LIB_VERSION` and `VERSION` to use
 4. [ ] Commit change, open PR, get it merged
-5. [ ] Release by running `docker-compose run push_to_rubygems`.
+5. [ ] Trigger the "Publish Ruby gem" workflow in <https://github.com/DataDog/libdatadog/actions/workflows/publish-ruby.yml>
 6. [ ] Verify that release shows up correctly on: <https://rubygems.org/gems/libdatadog>
 
 ## Contributing

ruby/Rakefile

@@ -129,14 +129,10 @@ task push_to_rubygems: [
   :package,
   :"release:guard_clean"
 ] do
-  puts "Please input 'libdatadog ruby release key' from 'Shared-Profiling' Datadog 1Password:"
-  input = $stdin.gets.strip
-
-  ENV["GEM_HOST_API_KEY"] = input
-
-  system("gem push pkg/libdatadog-#{Libdatadog::VERSION}.gem")
-  system("gem push pkg/libdatadog-#{Libdatadog::VERSION}-x86_64-linux.gem")
-  system("gem push pkg/libdatadog-#{Libdatadog::VERSION}-aarch64-linux.gem")
+  puts "TODO: DISABLED PUSHING TO RUBYGEMS"
+  # abort unless system("gem push pkg/libdatadog-#{Libdatadog::VERSION}.gem")
+  # abort unless system("gem push pkg/libdatadog-#{Libdatadog::VERSION}-x86_64-linux.gem")
+  # abort unless system("gem push pkg/libdatadog-#{Libdatadog::VERSION}-aarch64-linux.gem")
 end
 
 module Helpers
@@ -198,3 +194,6 @@ end
 
 Rake::Task["build"].clear
 task(:build) { raise "Build task is disabled, use package instead" }
+
+Rake::Task["release"].clear
+task(:release) { Rake::Task["push_to_rubygems"].invoke }

ruby/docker-compose.yml

@@ -11,3 +11,4 @@
 gem "http", "~> 5.0" unless RUBY_VERSION < "2.5"
 gem "pry"
 gem "pry-byebug" unless RUBY_VERSION > "3.1"
+gem "rubygems-await"