RubyGems - configure_trusted_publisher - Versions diffs - 0.1.5 → 0.1.7 - Mend

configure_trusted_publisher 0.1.5 → 0.1.7

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/configure_trusted_publisher/cli.rb +92 -100
data/lib/configure_trusted_publisher/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5df3ee4bdd488d5f14ee555fb5a9d1604615f523fab0397b992b7afcee8a0527
-  data.tar.gz: acfed99642dd587cb9bc0e03719de8349415b69704df949132653f984457ae98
+  metadata.gz: 62e88e6f8fe2b2d276cb12750fa89c2197510a32c2c0f173f8d1fb0882c48195
+  data.tar.gz: 1aca9105419c282a2e007f9d0289425bfddbdca0508a008d9142fddb79aa7072
 SHA512:
-  metadata.gz: 48d61e87dd4240916c505a6adad16eeb7a3d85d426d37c6692775fd4921fef00885285b95476de49a86085a716ea85aec028d12e2e457d9b5532432c8048f407
-  data.tar.gz: e9db9496d534fb4025f8bc3ca058a47a3cb5ef9ba741e8a13c2c3e3a34bac740c334b1ae55258412b38e820d9043f61a81ba9da7a4f2c7f68cd0b6b96c6b8335
+  metadata.gz: 593966c8a3b809875c88151be176f7e6c62feeb934f337cf1e54479668fd24dbc4e763fb3bb1eb579292b9f1b4e758fef4c9b9e3db8f59c9677446df9eca974a
+  data.tar.gz: 9ea13772ac9bd771cdf766cdfed92e906aaf05498744172a225c055d5e71a1fd5b2f598ba86e4c5700b78c3c3b42c4d61aab8c1b29b3c52325dd3c0f797032f5

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # ConfigureTrustedPublisher
-A small CLI to automate the process of configuring a trusted publisher for a gem.
+A small CLI to automate the process of configuring a [trusted publisher](https://guides.rubygems.org/trusted-publishing/) for a gem and [automating gem releases](https://guides.rubygems.org/trusted-publishing/releasing-gems/) with GitHub Actions!.
 ## Usage
@@ -9,6 +9,7 @@ To configure a trusted publisher for a gem, run the following command:
 ```console
 $ gem exec configure_trusted_publisher rubygem
 Configuring trusted publisher for rubygem0 in /Users/segiddins/Development/github.com/rubygems/configure_trusted_publisher for rubygems/configure_trusted_publisher
 Enter your https://rubygems.org credentials.
 Don't have an account yet? Create one at https://rubygems.org/sign_up
 Username/email: : gem-author

data/lib/configure_trusted_publisher/cli.rb CHANGED Viewed

@@ -9,6 +9,7 @@ require "bundler"
 require "json"
 require "open3"
 require "rubygems/gemcutter_utilities"
+require "yaml"
 Gem.configuration.verbose = true
@@ -153,17 +154,26 @@ module ConfigureTrustedPublisher
         puts "Configuring trusted publisher for #{rubygem_name} in #{File.expand_path(repository)} for " \
              "#{github_repository.join('/')}"
+        write_release_action(repository, rubygem_name, environment: add_environment)
         gc = GemcutterUtilities.new(
           say: ->(msg) { puts msg },
-          ask: ->(msg) { ask msg.chomp(":") },
-          ask_for_password: ->(msg) { ask_secret msg.chomp(":") },
-          terminate_interaction: ->(msg) { exit msg },
+          ask: lambda { |msg|
+                 puts
+                 ask msg.chomp(":")
+               },
+          ask_for_password: lambda { |msg|
+                              puts
+                              ask_secret msg.chomp(":")
+                            },
+          terminate_interaction: lambda { |msg|
+                                   puts
+                                   exit msg
+                                 },
           otp: options[:otp]
         )
         gc.sign_in(scope: "configure_trusted_publishers") unless gc.api_key
-        write_release_action(repository, rubygem_name)
         owner, name = github_repository
         config = {
           "trusted_publisher" => {
@@ -235,15 +245,49 @@ module ConfigureTrustedPublisher
         raise "No GitHub repository found for #{gemspec.name}"
       end
+      def add_environment
+        puts
+        return unless ask_yes_or_no("Would you like to add a github environment to allow customizing " \
+                                    "prerequisites for the action?")
+        env_name = "rubygems.org"
+        owner, name = github_repository
+        puts "Adding GitHub environment to #{owner}/#{name} to protect the action"
+        if (env = Open3.capture2e("gh", "api", "repos/#{owner}/#{name}/environments").then do |output, status|
+              exit "Failed to list environments for #{owner}/#{name} using `gh api`:\n#{output}" unless status.success?
+              JSON.parse(output)["environments"].find { |e| e["name"] == env_name }
+            end)
+          puts
+          puts "Environment 'rubygems.org' already exists for #{owner}/#{name}:\n  #{env['html_url']}"
+        else
+          Open3.capture2e("gh", "api", "--method", "PUT",
+                          "repos/#{owner}/#{name}/environments/#{env_name}").then do |output, status|
+            unless status.success?
+              exit "Failed to create rubygems.org environment for #{owner}/#{name} using `gh api`:\n#{output}"
+            end
+            env = JSON.parse(output)
+            puts
+            puts "Created environment 'rubygems.org' for #{owner}/#{name}:\n  #{env['html_url']}"
+          end
+        end
+        env_name
+      end
       attr_reader :gemspec_source
       def gemspec
         gemspec_source.specs.first
       end
-      def write_release_action(repository, rubygem_name)
+      def write_release_action(repository, rubygem_name, environment: nil)
         tag = "Automatically when a new tag matching v* is pushed"
         manual = "Manually by running a GitHub Action"
+        puts
         response = ask_multiple_choice(
           "How would you like releases for #{rubygem_name} to be triggered?", [
             tag,
@@ -251,103 +295,50 @@ module ConfigureTrustedPublisher
           ],
           default: "2"
         )
-        case response
-        when tag
-          write_tag_action(repository)
-        when manual
-          write_manual_action(repository)
-        end
-      end
-      def write_tag_action(repository)
         action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
         return unless check_action(action_file)
         File.write(
           action_file,
-          <<~YAML
-            name: Push Gem
-            on:
-              push:
-                tags:
-                  - v*
-            permissions:
-              contents: read
-            jobs:
-              push:
-                if: github.repository == 'rubygems/configure_trusted_publisher'
-                runs-on: ubuntu-latest
-                permissions:
-                  contents: write
-                  id-token: write
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
-        )
-        puts "Created #{action_file}"
-      end
-      def write_manual_action(repository)
-        action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
-        return unless check_action(action_file)
-        File.write(
-          action_file,
-          <<~YAML
-            name: Push Gem
-            on:
-              workflow_dispatch:
-            permissions:
-              contents: read
-            jobs:
-              push:
-                if: github.repository == 'rubygems/configure_trusted_publisher'
-                runs-on: ubuntu-latest
-                permissions:
-                  contents: write
-                  id-token: write
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
+          [
+            "name: Push Gem",
+            nil,
+            "on:",
+            "  #{response == tag ? "push:\n    tags:\n      - 'v*'" : 'workflow_dispatch:'}",
+            nil,
+            "permissions:",
+            "  contents: read",
+            nil,
+            "jobs:",
+            "  push:",
+            "    if: github.repository == '#{github_repository.join('/')}'",
+            "    runs-on: ubuntu-latest",
+            if environment
+              "\n    environment:\n      name: #{environment}\n      url: https://rubygems.org/gems/#{rubygem_name}\n"
+            end,
+            "    permissions:",
+            "      contents: write",
+            "      id-token: write",
+            nil,
+            "    steps:",
+            "      # Set up",
+            "      - name: Harden Runner",
+            "        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1",
+            "        with:",
+            "          egress-policy: audit",
+            nil,
+            "      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4",
+            "      - name: Set up Ruby",
+            "        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0",
+            "        with:",
+            "          bundler-cache: true",
+            "          ruby-version: ruby",
+            nil,
+            "      # Release",
+            "      - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1",
+            nil
+          ].join("\n")
         )
         puts "Created #{action_file}"
       end
@@ -355,9 +346,10 @@ module ConfigureTrustedPublisher
       def check_action(action_file)
         return FileUtils.mkdir_p(File.dirname(action_file)) || true unless File.exist?(action_file)
-        response = ask_multiple_choice(
-          "#{action_file} already exists, overwrite?", { "y" => "Yes", "n" => "No" },
-          default: "n"
+        puts
+        response = ask_yes_or_no(
+          "#{action_file} already exists, overwrite?",
+          default: false
         )
         return if response == "No"

data/lib/configure_trusted_publisher/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module ConfigureTrustedPublisher
-  VERSION = "0.1.5"
+  VERSION = "0.1.7"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: configure_trusted_publisher
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.7
 platform: ruby
 authors:
 - Samuel Giddins