Merge pull request #2405 from ViewComponent/2224-setup-trusted-publishing

joelhawksley · web-flow · commit 6a3336297367 · 2025-07-30T19:35:34.000-06:00
Setup Trusted Publishing
diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
@@ -0,0 +1,38 @@
+name: Push Gem
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: read
+
+jobs:
+  push:
+    if: github.repository == 'ViewComponent/view_component'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+
+    # GitHub environment configured on RubyGems
+    environment: release
+
+    steps:
+      # Set up
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: ruby
+
+      # Release
+      - uses: rubygems/release-gem@v1
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -10,6 +10,10 @@ nav_order: 6
 
 ## main
 
+* Setup Trusted Publishing to RubyGems to improve software supply chain safety.
+
+    *Hans Lemuet*
+
 ## 4.0.0
 
 Two years after releasing [3.0.0](https://github.com/ViewComponent/view_component/releases/tag/v3.0.0) and almost six years since [1.0.0](https://github.com/ViewComponent/view_component/releases/tag/v1.0.0), we're proud to ship ViewComponent 4. This release marks a shift towards a Long Term Support model for the project, having reached significant feature maturity. While contributions are always welcome, we're unlikely to accept further breaking changes or major feature additions.
diff --git a/script/publish b/script/publish
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Publish gem
-bundle exec rake release
+# this step has been replaced by .github/workflows/push_gem.yml
 
 # Publish updated docs
 git branch -D gh-pages
diff --git a/script/release b/script/release
@@ -82,7 +82,9 @@ push() {
 
   echo "####################################################"
   echo "Now, open a PR with this branch and merge it to main"
-  echo "Then, run script/publish on main to release the gem"
+  echo "Then, run script/publish on main to publish the docs"
+  echo "The gem will be pushed to RubyGems automatically by"
+  echo "Github Actions, using Trusted Publishing."
   echo "Finally, create a GitHub release https://github.com/viewcomponent/view_component/releases/new with the changes from docs/CHANGELOG"
   echo "####################################################"
 }
