Merge pull request voxpupuli#66 from voxpupuli/ci

bastelfreak · web-flow · commit f8a90407ad0d · 2025-08-08T20:46:13.000+02:00
CI: Configure Vox Pupuli release defaults &amp; Set minimal token permissions &amp; Generate matrix dynamically
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,41 @@
+---
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+
+changelog:
+  exclude:
+    labels:
+      - duplicate
+      - invalid
+      - modulesync
+      - question
+      - skip-changelog
+      - wont-fix
+      - wontfix
+      - github_actions
+
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - backwards-incompatible
+
+    - title: New Features 🎉
+      labels:
+        - enhancement
+
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+        - bugfix
+
+    - title: Documentation Updates 📚
+      labels:
+        - documentation
+        - docs
+
+    - title: Dependency Updates ⬆️
+      labels:
+        - dependencies
+
+    - title: Other Changes
+      labels:
+        - "*"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,32 +1,106 @@
-name: Release
+---
+name: Gem Release
 
 on:
   push:
     tags:
       - '*'
 
+permissions: {}
+
 jobs:
-  release:
-    runs-on: ubuntu-latest
+  build-release:
+    # Prevent releases from forked repositories
     if: github.repository_owner == 'voxpupuli'
+    name: Build the gem
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
-      - name: Install Ruby 3.0
+      - name: Install Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.0'
-        env:
-          BUNDLE_WITHOUT: release
+          ruby-version: 'ruby'
       - name: Build gem
-        run: gem build --strict --verbose *.gemspec
+        shell: bash
+        run: gem build --verbose *.gemspec
+      - name: Upload gem to GitHub cache
+        uses: actions/upload-artifact@v4
+        with:
+          name: gem-artifact
+          path: '*.gem'
+          retention-days: 1
+          compression-level: 0
+
+  create-github-release:
+    needs: build-release
+    name: Create GitHub release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write # clone repo and create release
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v5
+        with:
+          name: gem-artifact
+      - name: Create Release
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release create --repo ${{ github.repository }} ${{ github.ref_name }} --generate-notes *.gem
+
+  release-to-github:
+    needs: build-release
+    name: Release to GitHub
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write # publish to rubygems.pkg.github.com
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v5
+        with:
+          name: gem-artifact
+      - name: Publish gem to GitHub packages
+        run: gem push --host https://rubygems.pkg.github.com/${{ github.repository_owner }} *.gem
+        env:
+          GEM_HOST_API_KEY: ${{ secrets.GITHUB_TOKEN }}
+
+  release-to-rubygems:
+    needs: build-release
+    name: Release gem to rubygems.org
+    runs-on: ubuntu-24.04
+    environment: release # recommended by rubygems.org
+    permissions:
+      id-token: write # rubygems.org authentication
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v5
+        with:
+          name: gem-artifact
+      - uses: rubygems/configure-rubygems-credentials@v1.0.0
       - name: Publish gem to rubygems.org
+        shell: bash
         run: gem push *.gem
-        env:
-          GEM_HOST_API_KEY: '${{ secrets.RUBYGEMS_AUTH_TOKEN }}'
-      - name: Setup GitHub packages access
+
+  release-verification:
+    name: Check that all releases are done
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read # minimal permissions that we have to grant
+    needs:
+      - create-github-release
+      - release-to-github
+      - release-to-rubygems
+    steps:
+      - name: Download gem from GitHub cache
+        uses: actions/download-artifact@v5
+        with:
+          name: gem-artifact
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 'ruby'
+      - name: Wait for release to propagate
+        shell: bash
         run: |
-          mkdir -p ~/.gem
-          echo ":github: Bearer ${{ secrets.GITHUB_TOKEN }}" >> ~/.gem/credentials
-          chmod 0600 ~/.gem/credentials
-      - name: Publish gem to GitHub packages
-        run: gem push --key github --host https://rubygems.pkg.github.com/voxpupuli *.gem
+          gem install rubygems-await
+          gem await *.gem
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,3 +1,4 @@
+---
 name: Test
 
 on:
@@ -6,20 +7,33 @@ on:
     branches:
       - master
 
-env:
-  BUNDLE_WITHOUT: release
+permissions:
+  contents: read
 
 jobs:
+  rubocop_and_matrix:
+    runs-on: ubuntu-24.04
+    outputs:
+      ruby: ${{ steps.ruby.outputs.versions }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Ruby ${{ matrix.ruby }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - name: Run Rubocop
+        run: bundle exec rake rubocop
+      - id: ruby
+        uses: voxpupuli/ruby-version@v1
+
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    needs: rubocop_and_matrix
     strategy:
       fail-fast: false
       matrix:
-        include:
-          - ruby: "2.7"
-          - ruby: "3.0"
-          - ruby: "3.1"
-          - ruby: "3.2"
+        ruby: ${{ fromJSON(needs.rubocop_and_matrix.outputs.ruby) }}
     steps:
       - uses: actions/checkout@v4
       - name: Install Ruby ${{ matrix.ruby }}
@@ -31,10 +45,16 @@ jobs:
         run: bundle exec rake rubocop
       - name: Build the gem
         run: gem build --strict --verbose *.gemspec
+
   tests:
+    if: always()
     needs:
+      - rubocop_and_matrix
       - test
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Test suite
     steps:
-      - run: echo Test suite completed
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
diff --git a/Gemfile b/Gemfile
@@ -4,7 +4,7 @@ source 'https://rubygems.org'
 
 gemspec
 
-group :release do
+group :release, optional: true do
   gem 'faraday-retry', '~> 2.1', require: false
   gem 'github_changelog_generator', '~> 1.16.4', require: false
 end
