configure_trusted_publisher 0.0.1 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5511679a5a528ab59e7aab878e7148bd6af838fe83671deb286f41343d6e531
-  data.tar.gz: 3db794f67c04a8f1143889741df654a5a8a74157b8fd2b143f332b0ebe0a8dca
+  metadata.gz: fa9e10544502d63d23b7677b099af4a53e2ae4436cd4cb8e5134cfcd41e541b7
+  data.tar.gz: f7608581cf5d2cc748630bb8fdf56771e7ce3e6ec8ce93385e30d2f721a7d2e3
 SHA512:
-  metadata.gz: a35b4d9b449812f533d86f8a6854771588afcf9d116844b81ecf4746b2265081dc42ad744f74ed69d107dc1e828b9a359ccb53f1f998e537b93f3fbdb65f5677
-  data.tar.gz: f3892edf8c3124397b027ab5673f160f86dbfe4ae1cec82ae2af6ae865424619373c92bd8262b092dc954f03c8c65b2b9148895303085cb6c88b65af5b184db0
+  metadata.gz: 71ea60d2723ca3d2c49eb7b1a6d3c1ab2bf1b6a95024e5414efd1ddbe57c71d17e1a54bd6c96d75f4c20b32182bf7dc349c7144105b0a4863c7b0ec73cabd62a
+  data.tar.gz: aeac3236be08f91c5e479e5fe2151b4a58be1c8f9c59d957204ee5fbe147041f1621b0aa26be99a0fa48063898dbaf0140e48f4b7783a2b90156b38dff52e81f

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Samuel Giddins
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,38 @@
+# ConfigureTrustedPublisher
+
+A small CLI to automate the process of configuring a trusted publisher for a gem.
+
+## Usage
+
+To configure a trusted publisher for a gem, run the following command:
+
+```console
+$ gem exec configure_trusted_publisher rubygem
+Configuring trusted publisher for rubygem0 in /Users/segiddins/Development/github.com/rubygems/configure_trusted_publisher for rubygems/configure_trusted_publisher
+Enter your https://rubygems.org credentials.
+Don't have an account yet? Create one at https://rubygems.org/sign_up
+Username/email: : gem-author
+      Password: :
+
+  1) Automatically when a new tag matching v* is pushed
+  2) Manually by running a GitHub Action
+
+How would you like releases for rubygem0 to be triggered? (1, 2) [2]: 2
+
+Successfully configured trusted publisher for rubygem0:
+  https://rubygems.org/gems/rubygem0/trusted_publishers
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at <https://github.com/rubygems/configure_trusted_publisher>.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/exe/configure_trusted_publisher

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "configure_trusted_publisher"
+require "configure_trusted_publisher/cli"
+
+ConfigureTrustedPublisher::CLI.start(ARGV)

data/lib/configure_trusted_publisher/cli.rb

@@ -0,0 +1,368 @@
+# frozen_string_literal: true
+
+require "command_kit"
+require "command_kit/commands"
+require "command_kit/interactive"
+require "io/console"
+
+require "bundler"
+require "json"
+require "rubygems/gemcutter_utilities"
+
+Gem.configuration.verbose = true
+
+module ConfigureTrustedPublisher
+  class GemcutterUtilities
+    include Gem::GemcutterUtilities
+
+    attr_reader :options
+
+    def initialize(say:, ask:, ask_for_password:, terminate_interaction:, otp:)
+      @options = {
+        otp:
+      }
+      @say = say
+      @ask = ask
+      @ask_for_password = ask_for_password
+      @terminate_interaction = terminate_interaction
+      @api_keys = {}
+    end
+
+    def say(...)
+      @say.call(...)
+    end
+
+    def ask(...)
+      @ask.call(...)
+    end
+
+    def ask_for_password(...)
+      @ask_for_password.call(...)
+    end
+
+    def get_mfa_params(...)
+      { "expires_at" => (Time.now + (15 * 60)).strftime("%Y-%m-%d %H:%M %Z"), "mfa" => false }
+    end
+
+    def terminate_interaction(...) = @terminate_interaction.call(...)
+
+    def api_key
+      return @api_keys[@host] if @api_keys[@host]
+
+      if ENV["GEM_HOST_API_KEY"]
+        ENV["GEM_HOST_API_KEY"]
+      elsif options[:key]
+        verify_api_key options[:key]
+      end
+    end
+
+    def set_api_key(host, key)
+      @api_keys[host] = key
+    end
+
+    def rubygems_api_request(*args, **, &)
+      # pp(args:, **)
+      resp = super(*args, **) do |req|
+        yield(req)
+        # pp(req: {
+        #      method: __method__,
+        #      req:,
+        #      url: req.uri,
+        #      req_body: req.body
+        #    })
+        _ = req
+      end
+      # pp(resp: {
+      #      method: __method__,
+      #      resp:,
+      #      resp_body: resp.body
+      #    })
+      _ = resp
+
+      resp
+    end
+
+    # def mfa_unauthorized?(response)
+    #   super.tap do |result|
+    #     pp result => {
+    #       method: __method__,
+    #       response:,
+    #       response_body: response.body
+    #     }
+    #   end
+    # end
+
+    # def api_key_forbidden?(response)
+    #   super.tap do |result|
+    #     pp result => {
+    #       method: __method__,
+    #       response:,
+    #       response_body: response.body
+    #     }
+    #   end
+    # end
+  end
+
+  class CLI
+    include CommandKit::Commands
+
+    command_name "configure_trusted_publisher"
+
+    class Rubygem < CommandKit::Command
+      include CommandKit::Options
+      include CommandKit::Interactive
+
+      option :name,
+             value: {
+               type: String
+             },
+             desc: "The name of the Rubygem to configure the trusted publisher for."
+
+      option :otp,
+             value: {
+               type: String
+             },
+             desc: "The one-time password for multi-factor authentication."
+
+      argument :repository, required: false, desc: "The repository to configure the trusted publisher for.",
+                            usage: "REPOSITORY"
+
+      def run(repository = ".")
+        @gemspec_source = Bundler::Source::Gemspec.new({
+                                                         "root_path" => Pathname(repository),
+                                                         "path" => "."
+                                                       })
+        rubygem_name = options[:name]
+        unless rubygem_name
+          if gemspec_source.specs.size > 1
+            raise "Multiple gemspecs found in #{repository}, please specify the gem name with --name"
+          elsif gemspec_source.specs.empty?
+            raise "No gemspecs found in #{repository}, please specify the gem name with --name"
+          end
+
+          rubygem_name = gemspec_source.specs.first.name
+        end
+
+        unless system("rake", "release", "--dry-run", chdir: repository, exception: false, out: File::NULL,
+                                                      err: File::NULL)
+          abort "rake release is not configured for #{rubygem_name} in #{repository}"
+        end
+
+        puts "Configuring trusted publisher for #{rubygem_name} in #{File.expand_path(repository)} for " \
+             "#{github_repository.join('/')}"
+
+        gc = GemcutterUtilities.new(
+          say: ->(msg) { puts msg },
+          ask: ->(msg) { ask msg.chomp(":") },
+          ask_for_password: ->(msg) { ask_secret msg.chomp(":") },
+          terminate_interaction: ->(msg) { exit msg },
+          otp: options[:otp]
+        )
+        gc.sign_in(scope: "configure_trusted_publishers") unless gc.api_key
+
+        write_release_action(repository, rubygem_name)
+
+        owner, name = github_repository
+        config = {
+          "trusted_publisher" => {
+            "repository_name" => name,
+            "repository_owner" => owner,
+            "workflow_filename" => "push_gem.yml"
+          },
+          "trusted_publisher_type" => "OIDC::TrustedPublisher::GitHubAction"
+        }
+
+        gc.rubygems_api_request(
+          :get,
+          "api/v1/gems/#{rubygem_name}/trusted_publishers",
+          scope: "configure_trusted_publishers"
+        ) do |req|
+          req["Accept"] = "application/json"
+          req.add_field "Authorization", gc.api_key
+        end.then do |resp| # rubocop:disable Style/MultilineBlockChain
+          if resp.code != "200"
+            abort "Failed to get trusted publishers for #{rubygem_name} (#{resp.code.inspect}):\n#{resp.body}"
+          end
+
+          existing = JSON.parse(resp.body)
+          if (e = existing.find do |pub|
+                config["trusted_publisher_type"] == pub["trusted_publisher_type"] &&
+                config["trusted_publisher"].all? do |k, v|
+                  pub["trusted_publisher"][k] == v
+                end
+              end)
+
+            abort "Trusted publisher for #{rubygem_name} already configured for " \
+                  "#{e.dig('trusted_publisher', 'name').inspect}"
+          end
+        end
+
+        resp = gc.rubygems_api_request(
+          :post,
+          "api/v1/gems/#{rubygem_name}/trusted_publishers",
+          scope: "configure_trusted_publishers"
+        ) do |req|
+          req["Content-Type"] = "application/json"
+          req["Accept"] = "application/json"
+          req.add_field "Authorization", gc.api_key
+
+          req.body = config.to_json
+        end
+
+        if resp.code == "201"
+          puts "Successfully configured trusted publisher for #{rubygem_name}:\n  " \
+               "#{gc.host}/gems/#{rubygem_name}/trusted_publishers"
+        else
+          abort "Failed to configure trusted publisher for #{rubygem_name}:\n#{resp.body}"
+        end
+      end
+
+      def github_repository
+        [
+          gemspec.metadata["source_code_uri"],
+          gemspec.metadata["homepage_uri"],
+          gemspec.metadata["bug_tracker_uri"],
+          gemspec.homepage
+        ].each do |uri|
+          next unless uri
+
+          if uri =~ %r{github.com[:/](?<owner>[^/]+)/(?<repo>[^/]+)}
+            return Regexp.last_match[:owner], Regexp.last_match[:repo]
+          end
+        end
+        raise "No GitHub repository found for #{gemspec.name}"
+      end
+
+      attr_reader :gemspec_source
+
+      def gemspec
+        gemspec_source.specs.first
+      end
+
+      def write_release_action(repository, rubygem_name)
+        tag = "Automatically when a new tag matching v* is pushed"
+        manual = "Manually by running a GitHub Action"
+        response = ask_multiple_choice(
+          "How would you like releases for #{rubygem_name} to be triggered?", [
+            tag,
+            manual
+          ],
+          default: "2"
+        )
+        case response
+        when tag
+          write_tag_action(repository)
+        when manual
+          write_manual_action(repository)
+        end
+      end
+
+      def write_tag_action(repository)
+        action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
+        return unless check_action(action_file)
+
+        File.write(
+          action_file,
+          <<~YAML
+            name: Push Gem
+
+            on:
+              push:
+                tags:
+                  - v*
+
+            permissions:
+              contents: read
+
+            jobs:
+              push:
+                if: github.repository == 'rubygems/configure_trusted_publisher'
+                runs-on: ubuntu-latest
+
+                permissions:
+                  contents: write
+                  id-token: write
+
+                steps:
+                  # Set up
+                  - name: Harden Runner
+                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+                    with:
+                      egress-policy: audit
+
+                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+                  - name: Set up Ruby
+                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
+                    with:
+                      bundler-cache: true
+                      ruby-version: ruby
+
+                  # Release
+                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
+          YAML
+        )
+        puts "Created #{action_file}"
+      end
+
+      def write_manual_action(repository)
+        action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
+        return unless check_action(action_file)
+
+        File.write(
+          action_file,
+          <<~YAML
+            name: Push Gem
+
+            on:
+              workflow_dispatch:
+
+            permissions:
+              contents: read
+
+            jobs:
+              push:
+                if: github.repository == 'rubygems/configure_trusted_publisher'
+                runs-on: ubuntu-latest
+
+                permissions:
+                  contents: write
+                  id-token: write
+
+                steps:
+                  # Set up
+                  - name: Harden Runner
+                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+                    with:
+                      egress-policy: audit
+
+                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+                  - name: Set up Ruby
+                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
+                    with:
+                      bundler-cache: true
+                      ruby-version: ruby
+
+                  # Release
+                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
+          YAML
+
+        )
+        puts "Created #{action_file}"
+      end
+
+      def check_action(action_file)
+        return FileUtils.mkdir_p(File.dirname(action_file)) || true unless File.exist?(action_file)
+
+        response = ask_multiple_choice(
+          "#{action_file} already exists, overwrite?", { "y" => "Yes", "n" => "No" },
+          default: "n"
+        )
+        return if response == "No"
+
+        true
+      end
+    end
+
+    command Rubygem
+  end
+end

data/lib/configure_trusted_publisher/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ConfigureTrustedPublisher
+  VERSION = "0.1.3"
+end

data/lib/configure_trusted_publisher.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "configure_trusted_publisher/version"
+
+module ConfigureTrustedPublisher
+  class Error < StandardError; end
+  # Your code goes here...
+end

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: configure_trusted_publisher
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Samuel Giddins
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
 date: 2024-05-08 00:00:00.000000000 Z
@@ -38,20 +38,27 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.5
-description:
+description: 
 email:
 - segiddins@segiddins.me
-executables: []
+executables:
+- configure_trusted_publisher
 extensions: []
 extra_rdoc_files: []
-files: []
+files:
+- LICENSE.txt
+- README.md
+- exe/configure_trusted_publisher
+- lib/configure_trusted_publisher.rb
+- lib/configure_trusted_publisher/cli.rb
+- lib/configure_trusted_publisher/version.rb
 homepage: https://github.com/rubygems/configure_trusted_publisher
 licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/rubygems/configure_trusted_publisher
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -66,8 +73,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '3.5'
 requirements: []
-rubygems_version: 3.5.10
-signing_key:
+rubygems_version: 3.5.9
+signing_key: 
 specification_version: 4
 summary: A small CLI to automate the process of configuring a trusted publisher for
   a gem.