From ed6c8957b89d92201318d4ba6725d25eec10b56b Mon Sep 17 00:00:00 2001 From: Stelios Frantzeskakis Date: Thu, 4 Jun 2026 22:31:03 +0300 Subject: [PATCH 1/2] [GH-7554] Automate Rubyzen releases --- .github/scripts/verify_release_version.rb | 18 ++++++++++ .github/workflows/release.yml | 43 +++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100755 .github/scripts/verify_release_version.rb create mode 100644 .github/workflows/release.yml diff --git a/.github/scripts/verify_release_version.rb b/.github/scripts/verify_release_version.rb new file mode 100755 index 0000000..8295284 --- /dev/null +++ b/.github/scripts/verify_release_version.rb @@ -0,0 +1,18 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true +# +# Verifies that lib/rubyzen/version.rb matches the release tag, so that a +# GitHub Release can never publish a gem whose version doesn't match the tag. + +require_relative '../../lib/rubyzen/version' + +tag = ENV.fetch('RELEASE_TAG', '').strip +version = Rubyzen::VERSION + +if version == tag + puts "version.rb (#{version}) matches the release tag (#{tag})" +else + puts "::error::version.rb (#{version}) does not match the release tag (#{tag.inspect}). " \ + 'Bump the lib/rubyzen/version.rb before releasing.' + exit 1 +end diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..c415e71 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,43 @@ +name: Release + +# Publishes rubyzen-lint to RubyGems when a GitHub Release is published. +# Uses RubyGems Trusted Publishing (OIDC). +on: + release: + types: [published] + +permissions: + contents: read + id-token: write + +jobs: + publish: + name: Build and push to RubyGems + runs-on: ubuntu-latest + environment: release + steps: + - uses: actions/checkout@v5 + with: + ref: ${{ github.event.release.tag_name }} + persist-credentials: false + + - uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.3' + bundler-cache: true + + - name: Run tests + run: bundle exec rake + + - name: Verify version.rb matches the release tag + env: + RELEASE_TAG: ${{ github.event.release.tag_name }} + run: ruby .github/scripts/verify_release_version.rb + + - name: Configure RubyGems trusted publishing + uses: rubygems/configure-rubygems-credentials@v2.0.0 + + - name: Build and push + run: | + gem build rubyzen-lint.gemspec + gem push rubyzen-lint-*.gem From f63fdd1ccd7406c05f20f1a46d7a3b7985e25fc9 Mon Sep 17 00:00:00 2001 From: Stelios Frantzeskakis Date: Thu, 4 Jun 2026 23:14:58 +0300 Subject: [PATCH 2/2] PR comments --- .github/scripts/verify_release_version.rb | 7 +++++-- .github/workflows/release.yml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/scripts/verify_release_version.rb b/.github/scripts/verify_release_version.rb index 8295284..c7bcce9 100755 --- a/.github/scripts/verify_release_version.rb +++ b/.github/scripts/verify_release_version.rb @@ -9,10 +9,13 @@ tag = ENV.fetch('RELEASE_TAG', '').strip version = Rubyzen::VERSION -if version == tag +if tag.empty? + puts '::error::RELEASE_TAG is not set.' + exit 1 +elsif version == tag puts "version.rb (#{version}) matches the release tag (#{tag})" else puts "::error::version.rb (#{version}) does not match the release tag (#{tag.inspect}). " \ - 'Bump the lib/rubyzen/version.rb before releasing.' + 'Update lib/rubyzen/version.rb and recreate the release.' exit 1 end diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c415e71..9d0663f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v5 with: - ref: ${{ github.event.release.tag_name }} + ref: refs/tags/${{ github.event.release.tag_name }} persist-credentials: false - uses: ruby/setup-ruby@v1