Release herb gem via trusted publishing (#532)

mensfeld · web-flow · commit c3150f5b0f03 · 2025-09-26T23:34:19.000+09:00
Following up on our discussion. This should do it. What is also needed is: - add deployment env to your repo settings - configure truste publidhing in rubygems Please note I do not have a way to test it. I made it based on my: https://github.com/karafka/rdkafka-ruby/blob/main/.github/workflows/push_linux_x86_64_gnu.yml
diff --git a/.github/workflows/build-gems.yml b/.github/workflows/build-gems.yml
@@ -100,3 +100,68 @@ jobs:
           path: pkg/*.gem
           if-no-files-found: error
           retention-days: 7
+
+  push:
+    name: Push gems with trusted publishing
+    if: github.event_name == 'release' && github.repository_owner == 'marcoroth'
+    needs: build
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - default
+          - aarch64-linux-gnu
+          - x86_64-linux-gnu
+          - x86_64-linux-musl
+          - aarch64-linux-musl
+          - x86_64-darwin
+          - arm64-darwin
+          - arm-linux-gnu
+          - arm-linux-musl
+          - x86-linux-gnu
+          - x86-linux-musl
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Vendor the attestation patch from rubygems/release-gem
+      - name: Vendor release-gem patch
+        uses: actions/checkout@v4
+        with:
+          repository: rubygems/release-gem
+          ref: a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
+          path: .github/_release-gem
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: false
+
+      - name: Download gem artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: gem-${{ matrix.target }}
+          path: pkg/
+
+      - name: Configure trusted publishing credentials
+        uses: rubygems/configure-rubygems-credentials@v1.0.0
+
+      - name: Push gem with Sigstore attestation
+        env:
+          # Preload the attestation patch so `gem push` generates & attaches the bundle
+          RUBYOPT: "-r${{ github.workspace }}/.github/_release-gem/rubygems-attestation-patch.rb"
+        run: |
+          cd pkg
+          for gem_file in *.gem; do
+            if [ -f "$gem_file" ]; then
+              echo "Pushing $gem_file"
+              gem push "$gem_file"
+            fi
+          done
