Add the ability to push multiple gems

[jenshenny]

Part of the MFA RFC.

Adding the ability to push multiple gems on gem push reduces friction for gem owners that own and publish many gems at a time. Instead of entering an OTP code for each gem for those who have MFA enabled, an owner can run gem push with multiple gems which requires only one OTP code.

A brief proof of concept was explored: https://github.com/Shopify/rubygems/pull/2/files

[jchestershopify]

Just a personal opinion: it would be super nice if this was transactional. That is, a push of multiple gems either accepts all the gems or none of the gems.

The rationale comes from watching a Rails team member releasing Rails. Currently they push one gem at a time and there are often failures due to OTP expiry. This means Rails releases can be in an inconsistent state, where some gems have been pushed and some have not. If overlooked, this could break a lot of downstream systems trying to update Rails (or similar gem constellations).

In terms of implementation, I would guess this would mean that the post operation would have a multi-part MIME body so that each .gem is contained in a single operation.

The downside is that this will require a lot more work than just looping over a list repeatedly until things are done.

[bkuhlmann]

💡 You might want to consider using Gemsmith since automatic 2FA auth is built in by default. I write about this in detail here.

[hsbt]

This is better than nothing.

But I have over the 50+ gems and the general publish tool is rake release with bundler task each project dir, not push the multiple gems with gem push.

[simi]

Would it be helpful to provide a way to temporarily bypass MFA with short-living token? That way you can call something like gem login with new parameter, pass MFA and get back token valid for pushing gems in next 5 minutes with no need to pass MFA again.

[dorianmariecom]

the same MFA token is valid at least 30 seconds so you have time to push to your gems

[rubyFeedback]

This may be a useful change. It could also allow for both "styles", e. g. "continue, even after failure", as well as the other style being "only do it if all gems are pushed", so users could decide on their own.

Personally I don't really need this though. I am very much in the oldschool camp where I upload one gem at a time; takes more time but fewer issues in the long run. (I use ruby scripts to help me push stuff automatically though, such as running kramdown automatically and autogenerating a README.md from a README.gen file, for instance. And various other things.)

I don't use or need MFA though.

[dorianmariecom]

I have this bash script:

#!/bin/bash

set -e

rm -f *.gem
git pull
git push
gem build template-ruby-parser.gemspec
gem build code-ruby-parser.gemspec

for file in *.gem
do
  gem push $file
done

rm *.gem