diff --git a/.github/scripts/verify_release_version.rb b/.github/scripts/verify_release_version.rb new file mode 100755 index 0000000..c7bcce9 --- /dev/null +++ b/.github/scripts/verify_release_version.rb @@ -0,0 +1,21 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true +# +# Verifies that lib/rubyzen/version.rb matches the release tag, so that a +# GitHub Release can never publish a gem whose version doesn't match the tag. + +require_relative '../../lib/rubyzen/version' + +tag = ENV.fetch('RELEASE_TAG', '').strip +version = Rubyzen::VERSION + +if tag.empty? + puts '::error::RELEASE_TAG is not set.' + exit 1 +elsif version == tag + puts "version.rb (#{version}) matches the release tag (#{tag})" +else + puts "::error::version.rb (#{version}) does not match the release tag (#{tag.inspect}). " \ + 'Update lib/rubyzen/version.rb and recreate the release.' + exit 1 +end diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..9d0663f --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,43 @@ +name: Release + +# Publishes rubyzen-lint to RubyGems when a GitHub Release is published. +# Uses RubyGems Trusted Publishing (OIDC). +on: + release: + types: [published] + +permissions: + contents: read + id-token: write + +jobs: + publish: + name: Build and push to RubyGems + runs-on: ubuntu-latest + environment: release + steps: + - uses: actions/checkout@v5 + with: + ref: refs/tags/${{ github.event.release.tag_name }} + persist-credentials: false + + - uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.3' + bundler-cache: true + + - name: Run tests + run: bundle exec rake + + - name: Verify version.rb matches the release tag + env: + RELEASE_TAG: ${{ github.event.release.tag_name }} + run: ruby .github/scripts/verify_release_version.rb + + - name: Configure RubyGems trusted publishing + uses: rubygems/configure-rubygems-credentials@v2.0.0 + + - name: Build and push + run: | + gem build rubyzen-lint.gemspec + gem push rubyzen-lint-*.gem