Merge pull request rails#52962 from rails/rm-releser

New release process using Trusted Publishing

Author: rafaelfranca

.github/workflows/rails_releaser_tests.yml

@@ -0,0 +1,29 @@
+name: Rails releaser tests
+
+on:
+  pull_request:
+    paths:
+    - "tools/releaser/**"
+  push:
+    paths:
+    - "tools/releaser/**"
+
+permissions:
+  contents: read
+
+jobs:
+  releaser_tests:
+    name: releaser tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ruby
+      - name: Bundle install
+        run: bundle install
+        working-directory: tools/releaser
+      - run: bundle exec rake
+        working-directory: tools/releaser

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  release:
+    permissions:
+      contents: write
+      id-token: write
+
+    environment: release
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ruby
+    - uses: actions/setup-node@v4
+      with:
+        node-version: lts/*
+        registry-url: 'https://registry.npmjs.org'
+    - name: Configure trusted publishing credentials
+      uses: rubygems/[email protected]
+    - name: Bundle install
+      run: bundle install
+      working-directory: tools/releaser
+    - name: Run release rake task
+      run: bundle exec rake push
+      shell: bash
+      working-directory: tools/releaser
+      env:
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    - name: Wait for release to propagate
+      run: gem exec rubygems-await pkg/*.gem
+      shell: bash

Gemfile

@@ -8,6 +8,8 @@ gem "minitest"
 # We need a newish Rake since Active Job sets its test tasks' descriptions.
 gem "rake", ">= 13"
 
+gem "releaser", path: "tools/releaser"
+
 gem "sprockets-rails", ">= 2.0.0", require: false
 gem "propshaft", ">= 0.1.7"
 gem "capybara", ">= 3.39"

Gemfile.lock

@@ -121,6 +121,13 @@ PATH
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
 
+PATH
+  remote: tools/releaser
+  specs:
+    releaser (1.0.0)
+      minitest
+      rake (~> 13.0)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -689,6 +696,7 @@ DEPENDENCIES
   redcarpet (~> 3.2.3)
   redis (>= 4.0.1)
   redis-namespace
+  releaser!
   resque
   resque-scheduler
   rexml

RELEASING_RAILS.md

@@ -24,7 +24,7 @@ Obviously Rails cannot be released when it depends on unreleased code.
 Contact the authors of those particular gems and work out a release date that
 suits them.
 
-### Announce your plans to the rest of the team on Campfire
+### Announce your plans to the rest of the team on Basecamp
 
 Let them know of your plans to release.
 
@@ -56,58 +56,38 @@ Include an RC number if appropriate, e.g. `6.0.0.rc1`.
 
 ### Build and test the gem.
 
-Run `rake verify` to generate the gems and install them locally. `verify` also
-generates a Rails app with a migration and boots it to smoke test with in your
-browser.
+Run `rake install` to generate the gems and install them locally. You can now
+use the version installed locally to generate a new app and check if everything
+is working as expected.
 
 This will stop you from looking silly when you push an RC to rubygems.org and
 then realize it is broken.
 
-### Check credentials for RubyGems, npm, and GitHub
-
-For npm run `npm whoami` to check that you are logged in (`npm login` if not).
-
-For RubyGems run `gem login`. If there's no output you are logged in.
+### Check credentials for GitHub
 
 For GitHub run `gh auth status` to check that you are logged in (run `gh login` if not).
 
-npm and RubyGems require MFA. The release task will attempt to use a yubikey if
-available, which as we have release several packages at once is strongly
-recommended. Check that `ykman oath accounts list` has an entry for both
-`npmjs.com` and `rubygems.org`, if not refer to
-https://tenderlovemaking.com/2021/10/26/publishing-gems-with-your-yubikey.html
-for setup instructions.
-
-### Release to RubyGems and npm.
-
-IMPORTANT: Several gems have JavaScript components that are released as npm
-packages, so you must have Node.js installed, have an npm account (npmjs.com),
-and be a package owner for `@rails/actioncable`, `@rails/actiontext`, and
-`@rails/activestorage`. You can check this by making sure your
-npm user (`npm whoami`) is listed as an owner (`npm owner ls <pkg>`) of each
-package. Do not release until you're set up with npm!
-
 The release task will sign the release tag. If you haven't got commit signing
 set up, use https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work as a
 guide. You can generate keys with the GPG suite from here: https://gpgtools.org.
 
-Run `rake changelog:header` to put a header with the new version in every
-CHANGELOG. Don't commit this, the release task handles it.
+Run `rake prep_release` to prepare the release. This will populate the gemspecs and
+npm package.json with the current RAILS_VERSION, add the header to the CHANGELOGs,
+build the gems, and check if bundler can resolve the dependencies.
 
-Run `rake release`. This will populate the gemspecs and npm package.json with
-the current RAILS_VERSION, commit the changes, tag it, and push the gems to
-rubygems.org.
+You can now inspect the results in the diff and see if you are happy with the
+changes.
 
-### Make GitHub Releases from pushed tags
+To release, Run `rake release`. This will commit the changes, tag it, and create a GitHub
+release with the proper release notes in draft mode.
 
-We use GitHub Releases to publish the combined release summary for all gems. We
-can use a rake task and [GitHub cli](https://cli.github.com/) to do this
-(releases can also be created or edited on the web).
+Open the corresponding GitHub release draft and check that the release notes
+are correct. If everything is fine, publish the release.
 
-```
-bundle exec rake changelog:release_summary > ../6-1-7-release-summary.md
-gh release create v6.1.7 -R rails/rails -F ../6-1-7-release-summary.md
-```
+### Publish the gems
+
+To publish the gems approve the [Release workflow in GitHub Actions](https://github.com/rails/rails/actions/workflows/release.yml),
+that was created after the release was published.
 
 ### Send Rails release announcements
 
@@ -117,7 +97,6 @@ lists where you should announce:
 
 * [rubyonrails-core](https://discuss.rubyonrails.org/c/rubyonrails-core)
 * [rubyonrails-talk](https://discuss.rubyonrails.org/c/rubyonrails-talk)
-* [email protected]
 
 Use Markdown format for your announcement. Remember to ask people to report
 issues with the release candidate to the rails-core mailing list.

Rakefile

@@ -7,26 +7,14 @@ require "tasks/release"
 require "railties/lib/rails/api/task"
 require "tools/preview_docs"
 
-desc "Build gem files for all projects"
-task build: "all:build"
-
-desc "Build, install and verify the gem files in a generated Rails app."
-task verify: "all:verify"
-
-desc "Prepare the release"
-task prep_release: "all:prep_release"
-
-desc "Release all gems to rubygems and create a tag"
-task release: "all:release"
-
 desc "Run all tests by default"
 task default: %w(test test:isolated)
 
-%w(test test:isolated package gem).each do |task_name|
+%w(test test:isolated).each do |task_name|
   desc "Run #{task_name} task for all projects"
   task task_name do
     errors = []
-    FRAMEWORKS.each do |project|
+    Releaser::FRAMEWORKS.each do |project|
       system(%(cd #{project} && #{$0} #{task_name} --trace)) || errors << project
     end
     fail("Errors in #{errors.join(', ')}") unless errors.empty?
@@ -35,10 +23,10 @@ end
 
 desc "Smoke-test all projects"
 task :smoke, [:frameworks, :isolated] do |task, args|
-  frameworks = args[:frameworks] ? args[:frameworks].split(" ") : FRAMEWORKS
+  frameworks = args[:frameworks] ? args[:frameworks].split(" ") : Releaser::FRAMEWORKS
   # The arguments are positional, and users may want to specify only the isolated flag.. so we allow 'all' as a default for the first argument:
   if frameworks.include?("all")
-    frameworks = FRAMEWORKS
+    frameworks = Releaser::FRAMEWORKS
   end
 
   isolated = args[:isolated].nil? ? true : args[:isolated] == "true"
@@ -54,9 +42,6 @@ task :smoke, [:frameworks, :isolated] do |task, args|
   end
 end
 
-desc "Install gems for all projects."
-task install: "all:install"
-
 desc "Generate documentation for the Rails framework"
 if ENV["EDGE"]
   Rails::API::EdgeTask.new("rdoc")
@@ -78,9 +63,6 @@ task :preview_docs do
   system("tar -czf preview.tar.gz -C preview .")
 end
 
-desc "Bump all versions to match RAILS_VERSION"
-task update_versions: "all:update_versions"
-
 # We have a webhook configured in GitHub that gets invoked after pushes.
 # This hook triggers the following tasks:
 #

actioncable/Rakefile

@@ -8,8 +8,6 @@ require "action_cable"
 
 task default: :test
 
-task :package
-
 ENV["RAILS_MINITEST_PLUGIN"] = "true"
 
 Rake::TestTask.new do |t|

actionmailbox/Rakefile

@@ -4,8 +4,6 @@ require "bundler/setup"
 require "bundler/gem_tasks"
 require "rake/testtask"
 
-task :package
-
 ENV["RAILS_MINITEST_PLUGIN"] = "true"
 
 Rake::TestTask.new do |t|

actionmailer/Rakefile

@@ -5,8 +5,6 @@ require "rake/testtask"
 desc "Default Task"
 task default: [ :test ]
 
-task :package
-
 ENV["RAILS_MINITEST_PLUGIN"] = "true"
 
 # Run the unit tests

actionpack/Rakefile

@@ -7,8 +7,6 @@ test_files = FileList["test/**/*_test.rb"]
 desc "Default Task"
 task default: :test
 
-task :package
-
 ENV["RAILS_MINITEST_PLUGIN"] = "true"
 
 # Run the unit tests