Merge pull request rails#54513 from segiddins/segiddins/release-gems-with-attestations-from-github-actions

rafaelfranca · web-flow · commit 368465e8d8c0 · 2025-08-13T16:11:28.000-04:00
Release gems with attestations from GitHub Actions
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -113,6 +113,7 @@ PATH
     releaser (1.0.0)
       minitest
       rake (~> 13.0)
+      sigstore-cli
 
 GEM
   remote: https://rubygems.org/
@@ -397,6 +398,8 @@ GEM
       ruby2_keywords (~> 0.0.1)
     mutex_m (0.3.0)
     mysql2 (0.5.6)
+    net-http (0.6.0)
+      uri
     net-http-persistent (4.0.5)
       connection_pool (~> 2.2)
     net-imap (0.5.5)
@@ -433,6 +436,16 @@ GEM
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
       rack
+    protobug (0.1.0)
+    protobug_googleapis_field_behavior_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_sigstore_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_googleapis_field_behavior_protos (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_well_known_protos (0.1.0)
+      protobug (= 0.1.0)
     psych (5.2.6)
       date
       stringio
@@ -586,6 +599,13 @@ GEM
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
+    sigstore (0.2.1)
+      net-http
+      protobug_sigstore_protos (~> 0.1.0)
+      uri
+    sigstore-cli (0.2.1)
+      sigstore (= 0.2.1)
+      thor
     sinatra (4.1.1)
       logger (>= 1.6.0)
       mustermann (~> 3.0)
diff --git a/tools/releaser/Gemfile.lock b/tools/releaser/Gemfile.lock
@@ -4,12 +4,34 @@ PATH
     releaser (1.0.0)
       minitest
       rake (~> 13.0)
+      sigstore-cli
 
 GEM
   remote: https://rubygems.org/
   specs:
     minitest (5.25.1)
+    net-http (0.6.0)
+      uri
+    protobug (0.1.0)
+    protobug_googleapis_field_behavior_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_sigstore_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_googleapis_field_behavior_protos (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_well_known_protos (0.1.0)
+      protobug (= 0.1.0)
     rake (13.2.1)
+    sigstore (0.2.1)
+      net-http
+      protobug_sigstore_protos (~> 0.1.0)
+      uri
+    sigstore-cli (0.2.1)
+      sigstore (= 0.2.1)
+      thor
+    thor (1.3.2)
+    uri (1.0.2)
 
 PLATFORMS
   aarch64-linux
@@ -19,4 +41,4 @@ DEPENDENCIES
   releaser!
 
 BUNDLED WITH
-   2.5.17
+   2.6.3
diff --git a/tools/releaser/lib/releaser.rb b/tools/releaser/lib/releaser.rb
@@ -67,7 +67,7 @@ def define
 
         task push: :build do
           Dir.chdir(root) do
-            sh "gem push #{gem_path(framework)}#{gem_otp}"
+            sh "gem push #{gem_path(framework)}#{gem_otp(gem_path(framework))}"
 
             if File.exist?("#{framework}/package.json")
               Dir.chdir("#{framework}") do
@@ -314,10 +314,11 @@ def npm_otp
       " --provenance --access public"
     end
 
-    def gem_otp
+    def gem_otp(gem_path)
       " --otp " + ykman("rubygems.org")
     rescue
-      ""
+      sh "sigstore-cli sign #{gem_path} --bundle #{gem_path}.sigstore.json"
+      " --attestation #{gem_path}.sigstore.json"
     end
 
     def ykman(service)
diff --git a/tools/releaser/releaser.gemspec b/tools/releaser/releaser.gemspec
@@ -23,4 +23,5 @@ Gem::Specification.new do |s|
 
   s.add_dependency "rake", "~> 13.0"
   s.add_dependency "minitest"
+  s.add_dependency "sigstore-cli"
 end
