Split rubygems release to matrix

So if publishing one gem fails/succeeds, the others can be idempotently retried independently Needed since the pending publisher for sigstore-cli had expired Signed-off-by: Samuel Giddins <[email protected]>
sigstore · Nov 19, 2024 · 3466311 · 3466311
1 parent f57a65e
commit 3466311
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 12 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -173,10 +173,15 @@ jobs:
           bundler-cache: true
       - name: Build the gem
         run: bin/rake build
+      - name: List built gems
+        id: list-gems
+        run: |
+          echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
       - name: Run the smoketest
         run: |
-          ./bin/smoketest pkg/*.gem
+          ./bin/smoketest ${BUILT_GEMS}
         env:
+          BUILT_GEMS: ${{ fromJson(steps.list-gems.outputs.gems) }}
           WORKFLOW_NAME: ci
 
   all-tests-pass:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,7 @@ jobs:
       id-token: write
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+      built-gems: ${{ steps.list-gems.outputs.gems }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -40,9 +41,14 @@ jobs:
       - name: build
         run: bin/rake build
 
+      - name: List built gems
+        id: list-gems
+        run: |
+          echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
+
       - name: Check release and tag name match built version
         run: |
-          for gem in pkg/*.gem; do
+          for gem in ${BUILT_GEMS}; do
             gemspec_version=$(gem spec ${gem} version | ruby -ryaml -e 'puts YAML.safe_load(ARGF.read, permitted_classes: [Gem::Version])')
             if [ "${RELEASE_TAG_NAME}" != "v${gemspec_version}" ]; then
               echo "Release tag name '${RELEASE_TAG_NAME}' does not match gemspec version 'v${gemspec_version}'"
@@ -51,10 +57,13 @@ jobs:
           done
         env:
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
 
       - name: sign
         run: |
-          ./bin/smoketest pkg/*.gem
+          ./bin/smoketest ${BUILT_GEMS}
+        env:
+          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
 
       - name: Generate hashes for provenance
         shell: bash
@@ -106,6 +115,12 @@ jobs:
     permissions:
       # Used to authenticate to RubyGems.org via OIDC.
       id-token: write
+    strategy:
+      matrix:
+        built-gem: ${{ fromJson(needs.build.outputs.built-gems) }}
+    concurrency:
+      group: release-rubygems
+    name: Publish ${{ matrix.built-gem }} to RubyGems
     steps:
       - name: Download artifacts directories # goes to current working directory
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -116,16 +131,29 @@ jobs:
           ruby-version: "3.3"
           bundler-cache: false
 
+      - name: Clone rubygems HEAD
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: rubygems/rubygems
+          persist-credentials: false
+          fetch-depth: 0
+          ref: a5412d9a0e358893e20ac69a4c6c0c2bac59d888
+          path: rubygems
+
+      - name: Install rubygems HEAD
+        run: ruby setup.rb
+        working-directory: rubygems
+
       - name: Configure RubyGems credentials
         uses: rubygems/configure-rubygems-credentials@a2b9242bc411d79356771fc9b9ddebcc3cd1b5dd # main
         with:
           trusted-publisher: true
 
       - name: publish
         run: |
-          for gem in built-packages/*.gem; do
-            gem push "$gem"
-          done
+          gem push "$BUILT_GEM" --attestation "$(basename "$BUILT_GEM").sigstore.json"
+        env:
+          BUILT_GEM: ${{ matrix.built-gem }}
 
   release-github:
     needs: [build, generate-provenance]

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,16 +1,16 @@
 PATH
   remote: .
   specs:
-    sigstore (0.2.0)
+    sigstore (0.2.1)
       net-http
       protobug_sigstore_protos (~> 0.1.0)
       uri
 
 PATH
   remote: cli
   specs:
-    sigstore-cli (0.2.0)
-      sigstore (= 0.2.0)
+    sigstore-cli (0.2.1)
+      sigstore (= 0.2.1)
       thor
 
 GEM
@@ -147,8 +147,8 @@ CHECKSUMS
   rubocop-performance (1.23.0) sha256=34ae78cb1bc5f1a0b34a34a1f9f6eec2cb8b8b9cafa2ce37982021e86fa49171
   rubocop-rake (0.6.0) sha256=56b6f22189af4b33d4f4e490a555c09f1281b02f4d48c3a61f6e8fe5f401d8db
   ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
-  sigstore (0.2.0)
-  sigstore-cli (0.2.0)
+  sigstore (0.2.1)
+  sigstore-cli (0.2.1)
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-html (0.12.3) sha256=4b1aad33259ffba8b29c6876c12db70e5750cb9df829486e4c6e5da4fa0aa07b
   simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428

diff --git a/lib/sigstore/version.rb b/lib/sigstore/version.rb
@@ -15,5 +15,5 @@
 # limitations under the License.
 
 module Sigstore
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end