Skip to content

Use RubyGems trusted publishing in the publish workflow#94

Merged
bradymholt merged 1 commit into
mainfrom
rubygems-trusted-publishing
Jul 2, 2026
Merged

Use RubyGems trusted publishing in the publish workflow#94
bradymholt merged 1 commit into
mainfrom
rubygems-trusted-publishing

Conversation

@bradymholt

@bradymholt bradymholt commented Jul 2, 2026

Copy link
Copy Markdown
Member

I just configured GitHub Actions as a trusted publisher for the ynab gem on RubyGems.org, which means publishing no longer needs a manually pasted API key and OTP code every time we run the workflow. This updates publish.yml accordingly.

The workflow now requests a GitHub OIDC token (via the new id-token: write permission) and exchanges it for a short-lived RubyGems key using the official rubygems/configure-rubygems-credentials action, pinned to a commit SHA like our other actions. That replaces the step that wrote the pasted key into ~/.gem/credentials, and since trusted publishing tokens bypass the OTP requirement, both the rubygems_api_key and rubygems_otp inputs are gone, along with the action-hide-sensitive-inputs step that existed only to mask them in the logs.

One thing to notice: adding an explicit permissions block replaces the default token permissions, so the block also includes contents: write (for the release creation step) and issues: write / pull-requests: write (for the step that comments on released PRs). Everything downstream (rake publish, the version bump, the GitHub release) is unchanged.

Testing

This can only really be verified by running the publish workflow itself, so the next release will be the proof. The trusted publisher on RubyGems.org is registered against this repo with workflow filename publish.yml and no environment restriction, matching this configuration.

Replace the manually-entered API key and OTP inputs with OIDC-based
trusted publishing via rubygems/configure-rubygems-credentials, so
publishing no longer requires handling long-lived credentials.
@bradymholt bradymholt changed the title placeholder Use RubyGems trusted publishing in the publish workflow Jul 2, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgithub/​rubygems/​configure-rubygems-credentials@​dc5a8d8553e6ee01fc26761a49e99e733d17954a9910010010080

View full report

@bradymholt bradymholt requested a review from eebs July 2, 2026 16:14
@bradymholt bradymholt enabled auto-merge July 2, 2026 16:14
@bradymholt bradymholt merged commit 02cd8f0 into main Jul 2, 2026
3 checks passed
@bradymholt bradymholt deleted the rubygems-trusted-publishing branch July 2, 2026 16:17
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

The changes in this PR were just released in 5.2.0 🎉.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants