Skip to content

Fix release workflow to use OIDC credentials directly #429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gjtorikian merged 1 commit into from
Feb 3, 2026
Merged

Fix release workflow to use OIDC credentials directly #429

gjtorikian merged 1 commit into from
Feb 3, 2026

Conversation

@workos-sdk-automation
Copy link
Contributor

@workos-sdk-automation workos-sdk-automation bot commented Feb 3, 2026

Summary

  • Replace rubygems/release-gem with manual build and push
  • Use rubygems/configure-rubygems-credentials for OIDC authentication
  • Run rake build instead of rake release to avoid git operations

Problem

The rubygems/release-gem action runs bundle exec rake release, which includes release:source_control_push that tries to push git tags. The publish job only has contents: read permission, causing the workflow to fail with:

remote: Permission to workos/workos-ruby.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/workos/workos-ruby/': The requested URL returned error: 403

The previous fix attempted to use a gem-push-command input, but that input doesn't exist in the rubygems/release-gem action.

Solution

Use rubygems/configure-rubygems-credentials to set up OIDC auth, then manually:

  1. bundle exec rake build - builds the gem without git operations
  2. gem push - pushes to RubyGems

Test plan

  • Verify CI passes
  • Trigger a release to confirm the workflow completes successfully

🤖 Generated with Claude Code

@gjtorikian @claude
Fix release workflow to use OIDC credentials directly
add2143 
Replace rubygems/release-gem with manual build and push to avoid
the rake release task attempting git operations (which fails due
to insufficient permissions in the publish job).

- Use rubygems/configure-rubygems-credentials for OIDC auth
- Run rake build to create the gem without git operations
- Push directly with gem push

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@workos-sdk-automation workos-sdk-automation bot requested a review from a team as a code owner February 3, 2026 16:59
@workos-sdk-automation workos-sdk-automation bot requested review from marktran and removed request for a team February 3, 2026 16:59
@gjtorikian gjtorikian merged commit 5ab23f0 into main Feb 3, 2026
8 checks passed
@gjtorikian gjtorikian deleted the fix-release-oidc-publish branch February 3, 2026 17:01
@greptile-apps
Copy link

greptile-apps bot commented Feb 3, 2026

Greptile Overview

Greptile Summary

This PR fixes the release workflow by replacing the rubygems/release-gem action with a manual gem build and publish process using OIDC authentication. The previous approach failed because rake release attempted git operations that required write permissions not available in the publish job.

Key Changes

  • Added version output to create-release job to pass version information to the publish job
  • Integrated rubygems/configure-rubygems-credentials action for OIDC-based authentication
  • Replaced automated rubygems/release-gem with manual bundle exec rake build and gem push commands

Analysis

The solution properly separates concerns: git operations run in the create-release job with contents: write permission, while gem publishing runs in the publish job with id-token: write permission. The manual gem push approach avoids the git permission issues that caused previous workflow failures.

Confidence Score: 4/5

  • This PR is safe to merge with minimal risk
  • The changes properly fix the permission issue by separating git operations from gem publishing. The OIDC authentication approach is secure and the manual build/push commands are straightforward. One minor style concern is using @main instead of a pinned version for the credentials action.
  • No files require special attention beyond the suggested version pinning improvement

Important Files Changed

Filename Overview
.github/workflows/release.yml Replaced rubygems/release-gem action with manual build and OIDC-based gem push, avoiding git permission issues

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request
    participant CRJ as create-release Job
    participant GH as GitHub API
    participant PJ as publish Job
    participant OIDC as RubyGems OIDC
    participant RG as RubyGems

    PR->>CRJ: PR merged with version-bump label
    CRJ->>CRJ: Generate GitHub App token
    CRJ->>CRJ: Checkout repository
    CRJ->>CRJ: Extract version from version.rb
    CRJ->>GH: Create GitHub release with tag
    CRJ->>PJ: Pass version output
    
    PJ->>OIDC: Configure credentials (role-to-assume)
    OIDC-->>PJ: OIDC authentication complete
    PJ->>PJ: Checkout repository
    PJ->>PJ: Setup Ruby 3.2
    PJ->>PJ: Run bundle exec rspec
    PJ->>PJ: Run bundle exec rake build
    PJ->>RG: gem push pkg/workos-{version}.gem
    RG-->>PJ: Gem published successfully
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 3, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

.github/workflows/release.yml
Comment on lines +56 to +59
- name: Configure RubyGems credentials
uses: rubygems/configure-rubygems-credentials@main
with:
role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
Copy link

@greptile-apps greptile-apps bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider pinning rubygems/configure-rubygems-credentials to a specific version tag instead of @main to prevent unexpected changes

Suggested change
- name: Configure RubyGems credentials
uses: rubygems/configure-rubygems-credentials@main
with:
role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
- name: Configure RubyGems credentials
uses: rubygems/configure-rubygems-credentials@v1
with:
role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 56:59

Comment:
Consider pinning `rubygems/configure-rubygems-credentials` to a specific version tag instead of `@main` to prevent unexpected changes

```suggestion
      - name: Configure RubyGems credentials
        uses: rubygems/configure-rubygems-credentials@v1
        with:
          role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
```

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gjtorikian gjtorikian gjtorikian approved these changes

@marktran marktran Awaiting requested review from marktran marktran is a code owner automatically assigned from workos/ruby

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

version-bump

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gjtorikian