Skip to content

Add sigstore attestations for our published gems #12025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeffwidman merged 2 commits into from
Apr 10, 2025
Merged

Add sigstore attestations for our published gems #12025

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
812c934
Add sigstore attestations for our published gems
jeffwidman Apr 10, 2025
7986316
Update Rakefile
jeffwidman Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/gems-release-to-rubygems.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ jobs:

# We can't use the https://github.com/rubygems/release-gem workflow because it calls `rake release` rather than `rake gems:release`.
# `rake release` causes problems because it tries to push a git tag, but we've already manually tagged the release as part of the `gems-bump-version` workflow.
- run: gem install rake && rake gems:release
- run: gem exec rake gems:release
9 changes: 6 additions & 3 deletions Rakefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,9 @@ namespace :gems do

GEMSPECS.each do |gemspec_path|
gem_name = File.basename(gemspec_path).sub(/\.gemspec$/, "")
gem_path = "pkg/#{gem_name}-#{Dependabot::VERSION}.gem"
gem_name_and_version = "#{gem_name}-#{Dependabot::VERSION}"
gem_path = "pkg/#{gem_name_and_version}.gem"
gem_attestation_path = "pkg/#{gem_name_and_version}.sigstore.json"

attempts = 0
loop do
Expand All @@ -80,7 +82,8 @@ namespace :gems do
attempts += 1
sleep(2)
begin
sh "gem push #{gem_path}"
sh "gem exec sigstore-cli:0.2.1 sign #{gem_path} --bundle #{gem_attestation_path}"
Copy link
Member

@Nishnha Nishnha Apr 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way we can avoid pinning the sigstore-cli version? We might forget to update it

Copy link
Member Author

@jeffwidman jeffwidman Apr 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good shout--I'm not super excited about pinning...

Given that we only push every week or two, and if it breaks it's not hard to fix and re-push, then I wonder if we could simply pin to latest? I don't know enough about Sigstore expectations to know if that's a good/bad idea... 🤷‍♂️

If we do want to pin to a version, we could do some hackery with a formal Gemfile and Gemfile.lock such that :dependabot: could auto-bump the versions, but I'd personally rather keep this lightweight for now... especially given there's a chance we may refactor this entire Rakefile away in the not too distant future:

So I'm tempted to ship this now, then modify the version pinning as a follow-on as we learn more... unless we are really confident we can skip version pinning altogether?

sh "gem push #{gem_path} --attestation #{gem_attestation_path}"
break
rescue StandardError => e
puts "! `gem push` failed with error: #{e}"
Expand All @@ -92,7 +95,7 @@ namespace :gems do
end

task :clean do
FileUtils.rm(Dir["pkg/*.gem"])
FileUtils.rm(Dir["pkg/*.gem", "pkg/*.sigstore.json"])
end
end

Expand Down
Loading