configure_trusted_publisher 0.1.6 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75930e6d2a3b492c60737125a7e4a96abf6f50339722b4d454e2641675c4d094
-  data.tar.gz: 45b86dc2cea3ac44909fe36e93d4cedd98f8ec06abf6e7af4b0dbc33c2050f07
+  metadata.gz: 9618ca80722f42567b997bfc7f392a9c2265bf8bfe504a1a6e2b1fcea797d266
+  data.tar.gz: c64f6c0ec0ddbd143483fc4663826edfafb9c84e6d9a8a82d70c66444ef04347
 SHA512:
-  metadata.gz: abebcafcae7cd008644fa9e61837e4ea2d298f0ca409c827eed3bf3b90146d6498328d0c02a91f65c373317862962d7faec2a3bb1a524198d51b19119e576507
-  data.tar.gz: a2d9ee000971206315bb8bbfea72c583eebcc5f4fe05273567dc4148a920367ccb553079d90a3e821f6700c79e18213dd693de8e584edb7d8441efc28cadd9da
+  metadata.gz: 0a1274ea1f7f908e57801322ecabfe9960d8e6a0a134ae1dd9c3b7238c4f89ec1e0911a86019c4d01e1ff7b99f68f37d2673dcf19dbd702e54b000f4d26b63a8
+  data.tar.gz: 3e49f2378150f87c043d7807031c84eba9b6bf45f402b486efc7ae45330332df4f3522019740a093e0c90b013d99db68adadd1bc7d4f9e1f47d682e80228a6e6

data/README.md

@@ -1,6 +1,6 @@
 # ConfigureTrustedPublisher
 
-A small CLI to automate the process of configuring a trusted publisher for a gem.
+A small CLI to automate the process of configuring a [trusted publisher](https://guides.rubygems.org/trusted-publishing/) for a gem and [automating gem releases](https://guides.rubygems.org/trusted-publishing/releasing-gems/) with GitHub Actions!.
 
 ## Usage
 
@@ -9,6 +9,7 @@ To configure a trusted publisher for a gem, run the following command:
 ```console
 $ gem exec configure_trusted_publisher rubygem
 Configuring trusted publisher for rubygem0 in /Users/segiddins/Development/github.com/rubygems/configure_trusted_publisher for rubygems/configure_trusted_publisher
+
 Enter your https://rubygems.org credentials.
 Don't have an account yet? Create one at https://rubygems.org/sign_up
 Username/email: : gem-author

data/lib/configure_trusted_publisher/cli.rb

@@ -9,6 +9,7 @@ require "bundler"
 require "json"
 require "open3"
 require "rubygems/gemcutter_utilities"
+require "yaml"
 
 Gem.configuration.verbose = true
 
@@ -153,24 +154,35 @@ module ConfigureTrustedPublisher
         puts "Configuring trusted publisher for #{rubygem_name} in #{File.expand_path(repository)} for " \
              "#{github_repository.join('/')}"
 
+        environment = add_environment
+        write_release_action(repository, rubygem_name, environment:)
+
         gc = GemcutterUtilities.new(
           say: ->(msg) { puts msg },
-          ask: ->(msg) { ask msg.chomp(":") },
-          ask_for_password: ->(msg) { ask_secret msg.chomp(":") },
-          terminate_interaction: ->(msg) { exit msg },
+          ask: lambda { |msg|
+                 puts
+                 ask msg.strip.chomp(":")
+               },
+          ask_for_password: lambda { |msg|
+                              puts
+                              ask_secret msg.strip.chomp(":")
+                            },
+          terminate_interaction: lambda { |msg|
+                                   puts
+                                   exit msg
+                                 },
           otp: options[:otp]
         )
         gc.sign_in(scope: "configure_trusted_publishers") unless gc.api_key
 
-        write_release_action(repository, rubygem_name)
-
         owner, name = github_repository
         config = {
           "trusted_publisher" => {
             "repository_name" => name,
             "repository_owner" => owner,
+            "environment" => environment,
             "workflow_filename" => "push_gem.yml"
-          },
+          }.compact,
           "trusted_publisher_type" => "OIDC::TrustedPublisher::GitHubAction"
         }
 
@@ -235,13 +247,46 @@ module ConfigureTrustedPublisher
         raise "No GitHub repository found for #{gemspec.name}"
       end
 
+      def add_environment
+        puts
+        return unless ask_yes_or_no("Would you like to add a github environment to allow customizing " \
+                                    "prerequisites for the action?")
+
+        env_name = "rubygems.org"
+
+        owner, name = github_repository
+        puts "Adding GitHub environment to #{owner}/#{name} to protect the action"
+        if (env = Open3.capture2e("gh", "api", "repos/#{owner}/#{name}/environments").then do |output, status|
+              exit "Failed to list environments for #{owner}/#{name} using `gh api`:\n#{output}" unless status.success?
+
+              JSON.parse(output)["environments"].find { |e| e["name"] == env_name }
+            end)
+
+          puts
+          puts "Environment 'rubygems.org' already exists for #{owner}/#{name}:\n  #{env['html_url']}"
+        else
+          Open3.capture2e("gh", "api", "--method", "PUT",
+                          "repos/#{owner}/#{name}/environments/#{env_name}").then do |output, status|
+            unless status.success?
+              exit "Failed to create rubygems.org environment for #{owner}/#{name} using `gh api`:\n#{output}"
+            end
+
+            env = JSON.parse(output)
+            puts
+            puts "Created environment 'rubygems.org' for #{owner}/#{name}:\n  #{env['html_url']}"
+          end
+        end
+
+        env_name
+      end
+
       attr_reader :gemspec_source
 
       def gemspec
         gemspec_source.specs.first
       end
 
-      def write_release_action(repository, rubygem_name)
+      def write_release_action(repository, rubygem_name, environment: nil)
         tag = "Automatically when a new tag matching v* is pushed"
         manual = "Manually by running a GitHub Action"
         puts
@@ -252,103 +297,50 @@ module ConfigureTrustedPublisher
           ],
           default: "2"
         )
-        case response
-        when tag
-          write_tag_action(repository)
-        when manual
-          write_manual_action(repository)
-        end
-      end
 
-      def write_tag_action(repository)
         action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
         return unless check_action(action_file)
 
         File.write(
           action_file,
-          <<~YAML
-            name: Push Gem
-
-            on:
-              push:
-                tags:
-                  - v*
-
-            permissions:
-              contents: read
-
-            jobs:
-              push:
-                if: github.repository == '#{github_repository.join('/')}'
-                runs-on: ubuntu-latest
-
-                permissions:
-                  contents: write
-                  id-token: write
-
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
-        )
-        puts "Created #{action_file}"
-      end
-
-      def write_manual_action(repository)
-        action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
-        return unless check_action(action_file)
-
-        File.write(
-          action_file,
-          <<~YAML
-            name: Push Gem
-
-            on:
-              workflow_dispatch:
-
-            permissions:
-              contents: read
-
-            jobs:
-              push:
-                if: github.repository == '#{github_repository.join('/')}'
-                runs-on: ubuntu-latest
-
-                permissions:
-                  contents: write
-                  id-token: write
-
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
-
+          [
+            "name: Push Gem",
+            nil,
+            "on:",
+            "  #{response == tag ? "push:\n    tags:\n      - 'v*'" : 'workflow_dispatch:'}",
+            nil,
+            "permissions:",
+            "  contents: read",
+            nil,
+            "jobs:",
+            "  push:",
+            "    if: github.repository == '#{github_repository.join('/')}'",
+            "    runs-on: ubuntu-latest",
+            if environment
+              "\n    environment:\n      name: #{environment}\n      url: https://rubygems.org/gems/#{rubygem_name}\n"
+            end,
+            "    permissions:",
+            "      contents: write",
+            "      id-token: write",
+            nil,
+            "    steps:",
+            "      # Set up",
+            "      - name: Harden Runner",
+            "        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1",
+            "        with:",
+            "          egress-policy: audit",
+            nil,
+            "      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4",
+            "      - name: Set up Ruby",
+            "        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0",
+            "        with:",
+            "          bundler-cache: true",
+            "          ruby-version: ruby",
+            nil,
+            "      # Release",
+            "      - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1",
+            nil
+          ].join("\n")
         )
         puts "Created #{action_file}"
       end
@@ -357,9 +349,9 @@ module ConfigureTrustedPublisher
         return FileUtils.mkdir_p(File.dirname(action_file)) || true unless File.exist?(action_file)
 
         puts
-        response = ask_multiple_choice(
-          "#{action_file} already exists, overwrite?", { "y" => "Yes", "n" => "No" },
-          default: "n"
+        response = ask_yes_or_no(
+          "#{action_file} already exists, overwrite?",
+          default: false
         )
         return if response == "No"
 

data/lib/configure_trusted_publisher/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ConfigureTrustedPublisher
-  VERSION = "0.1.6"
+  VERSION = "0.1.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: configure_trusted_publisher
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.8
 platform: ruby
 authors:
 - Samuel Giddins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-05-08 00:00:00.000000000 Z
+date: 2024-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler