fix precompiled releases attestation (#702)

Author: mensfeld

.github/workflows/push_linux_aarch64_gnu.yml

@@ -26,6 +26,14 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+
+      # Vendor the attestation patch from rubygems/release-gem (no action execution)
+      - name: Vendor release-gem patch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: rubygems/release-gem
+          ref: a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
+          path: .github/_release-gem
       - name: Install build dependencies
         run: |
           sudo apt-get update
@@ -41,25 +49,32 @@ jobs:
             libssl-dev \
             zlib1g-dev \
             libzstd-dev
+
       - name: Cache build-tmp directory
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ext/build-tmp
           key: build-tmp-${{ runner.os }}-${{ hashFiles('ext/*.sh') }}
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@3fee6763234110473bd57dd4595c5199fce2c510 # v1.258.0
         with:
           ruby-version: '3.4'
           bundler-cache: false
+
       - name: Build precompiled librdkafka.so
         run: |
           cd ext
           ./build_linux_aarch64_gnu.sh
+
       - name: Configure trusted publishing credentials
         uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44 # v1.0.0
-      - name: Build and push platform-specific gem
+
+      - name: Build and push platform-specific gem (with Sigstore attestation)
+        env:
+          RUBY_PLATFORM: 'aarch64-linux-gnu'
+          # Preload the attestation patch so `gem push` generates & attaches the bundle
+          RUBYOPT: "-r${{ github.workspace }}/.github/_release-gem/rubygems-attestation-patch.rb"
         run: |
           gem build *.gemspec
           gem push *.gem
-        env:
-          RUBY_PLATFORM: 'aarch64-linux-gnu'

.github/workflows/push_linux_x86_64_gnu.yml

@@ -26,6 +26,14 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+
+      # Vendor the attestation patch from rubygems/release-gem (no action execution)
+      - name: Vendor release-gem patch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: rubygems/release-gem
+          ref: a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
+          path: .github/_release-gem
       - name: Install build dependencies
         run: |
           sudo apt-get update
@@ -41,25 +49,32 @@ jobs:
             libssl-dev \
             zlib1g-dev \
             libzstd-dev
+
       - name: Cache build-tmp directory
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ext/build-tmp
           key: build-tmp-${{ runner.os }}-${{ hashFiles('ext/*.sh') }}
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@3fee6763234110473bd57dd4595c5199fce2c510 # v1.258.0
         with:
           ruby-version: '3.4'
           bundler-cache: false
+
       - name: Build precompiled librdkafka.so
         run: |
           cd ext
           ./build_linux_x86_64_gnu.sh
+
       - name: Configure trusted publishing credentials
         uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44 # v1.0.0
-      - name: Build and push platform-specific gem
+
+      - name: Build and push platform-specific gem (with Sigstore attestation)
+        env:
+          RUBY_PLATFORM: 'x86_64-linux-gnu'
+          # Preload the attestation patch so `gem push` generates & attaches the bundle
+          RUBYOPT: "-r${{ github.workspace }}/.github/_release-gem/rubygems-attestation-patch.rb"
         run: |
           gem build *.gemspec
           gem push *.gem
-        env:
-          RUBY_PLATFORM: 'x86_64-linux-gnu'

.github/workflows/push_linux_x86_64_musl.yml

@@ -59,21 +59,34 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+
+      # Vendor the attestation patch from rubygems/release-gem (no action execution)
+      - name: Vendor release-gem patch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: rubygems/release-gem
+          ref: a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
+          path: .github/_release-gem
       - name: Download precompiled library
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: librdkafka-precompiled-musl
           path: ext/
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@3fee6763234110473bd57dd4595c5199fce2c510 # v1.258.0
         with:
           ruby-version: '3.4'
           bundler-cache: false
+
       - name: Configure trusted publishing credentials
         uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44 # v1.0.0
-      - name: Build and push platform-specific gem
+
+      - name: Build and push platform-specific gem (with Sigstore attestation)
+        env:
+          RUBY_PLATFORM: 'x86_64-linux-musl'
+          # Preload the attestation patch so `gem push` generates & attaches the bundle
+          RUBYOPT: "-r${{ github.workspace }}/.github/_release-gem/rubygems-attestation-patch.rb"
         run: |
           gem build *.gemspec
           gem push *.gem
-        env:
-          RUBY_PLATFORM: 'x86_64-linux-musl'

.github/workflows/push_macos_arm64.yml

@@ -25,30 +25,46 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+
+      # Vendor the attestation patch from rubygems/release-gem (no action execution)
+      - name: Vendor release-gem patch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: rubygems/release-gem
+          ref: a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
+          path: .github/_release-gem
+
       - name: Install Bash 4+ and Kerberos
         run: |
           brew install bash
           brew list krb5 &>/dev/null || brew install krb5
           echo "/opt/homebrew/bin" >> $GITHUB_PATH
+
       - name: Cache build-tmp directory
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ext/build-tmp-macos
           key: build-tmp-${{ runner.os }}-${{ hashFiles('ext/*.sh', 'ext/Rakefile') }}-v2
+
       - name: Set up Ruby
         uses: ruby/setup-ruby@3fee6763234110473bd57dd4595c5199fce2c510 # v1.258.0
         with:
           ruby-version: '3.4'
           bundler-cache: false
+
       - name: Build precompiled librdkafka for macOS ARM64
         run: |
           cd ext
           /opt/homebrew/bin/bash ./build_macos_arm64.sh
+
       - name: Configure trusted publishing credentials
         uses: rubygems/configure-rubygems-credentials@bc6dd217f8a4f919d6835fcfefd470ef821f5c44 # v1.0.0
-      - name: Build and push platform-specific gem
+
+      - name: Build and push platform-specific gem (with Sigstore attestation)
+        env:
+          RUBY_PLATFORM: 'arm64-darwin'
+          # Preload the attestation patch so `gem push` generates & attaches the bundle
+          RUBYOPT: "-r${{ github.workspace }}/.github/_release-gem/rubygems-attestation-patch.rb"
         run: |
           gem build *.gemspec
           gem push *.gem
-        env:
-          RUBY_PLATFORM: 'arm64-darwin'

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Rdkafka Changelog
 
 ## 0.23.1 (Unreleased)
+- [Enhancement] Improve sigstore attestation for precompiled releases.
 - [Fix] Fix incorrectly set default SSL certs dir.
 - [Fix] Disable OpenSSL Heartbeats during compilation.