RubyGems - configure_trusted_publisher - Versions diffs - 0.1.6 → 0.1.8 - Mend

configure_trusted_publisher 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/configure_trusted_publisher/cli.rb +93 -101
data/lib/configure_trusted_publisher/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75930e6d2a3b492c60737125a7e4a96abf6f50339722b4d454e2641675c4d094
-  data.tar.gz: 45b86dc2cea3ac44909fe36e93d4cedd98f8ec06abf6e7af4b0dbc33c2050f07
+  metadata.gz: 9618ca80722f42567b997bfc7f392a9c2265bf8bfe504a1a6e2b1fcea797d266
+  data.tar.gz: c64f6c0ec0ddbd143483fc4663826edfafb9c84e6d9a8a82d70c66444ef04347
 SHA512:
-  metadata.gz: abebcafcae7cd008644fa9e61837e4ea2d298f0ca409c827eed3bf3b90146d6498328d0c02a91f65c373317862962d7faec2a3bb1a524198d51b19119e576507
-  data.tar.gz: a2d9ee000971206315bb8bbfea72c583eebcc5f4fe05273567dc4148a920367ccb553079d90a3e821f6700c79e18213dd693de8e584edb7d8441efc28cadd9da
+  metadata.gz: 0a1274ea1f7f908e57801322ecabfe9960d8e6a0a134ae1dd9c3b7238c4f89ec1e0911a86019c4d01e1ff7b99f68f37d2673dcf19dbd702e54b000f4d26b63a8
+  data.tar.gz: 3e49f2378150f87c043d7807031c84eba9b6bf45f402b486efc7ae45330332df4f3522019740a093e0c90b013d99db68adadd1bc7d4f9e1f47d682e80228a6e6

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # ConfigureTrustedPublisher
-A small CLI to automate the process of configuring a trusted publisher for a gem.
+A small CLI to automate the process of configuring a [trusted publisher](https://guides.rubygems.org/trusted-publishing/) for a gem and [automating gem releases](https://guides.rubygems.org/trusted-publishing/releasing-gems/) with GitHub Actions!.
 ## Usage
@@ -9,6 +9,7 @@ To configure a trusted publisher for a gem, run the following command:
 ```console
 $ gem exec configure_trusted_publisher rubygem
 Configuring trusted publisher for rubygem0 in /Users/segiddins/Development/github.com/rubygems/configure_trusted_publisher for rubygems/configure_trusted_publisher
 Enter your https://rubygems.org credentials.
 Don't have an account yet? Create one at https://rubygems.org/sign_up
 Username/email: : gem-author

data/lib/configure_trusted_publisher/cli.rb CHANGED Viewed

@@ -9,6 +9,7 @@ require "bundler"
 require "json"
 require "open3"
 require "rubygems/gemcutter_utilities"
+require "yaml"
 Gem.configuration.verbose = true
@@ -153,24 +154,35 @@ module ConfigureTrustedPublisher
         puts "Configuring trusted publisher for #{rubygem_name} in #{File.expand_path(repository)} for " \
              "#{github_repository.join('/')}"
+        environment = add_environment
+        write_release_action(repository, rubygem_name, environment:)
         gc = GemcutterUtilities.new(
           say: ->(msg) { puts msg },
-          ask: ->(msg) { ask msg.chomp(":") },
-          ask_for_password: ->(msg) { ask_secret msg.chomp(":") },
-          terminate_interaction: ->(msg) { exit msg },
+          ask: lambda { |msg|
+                 puts
+                 ask msg.strip.chomp(":")
+               },
+          ask_for_password: lambda { |msg|
+                              puts
+                              ask_secret msg.strip.chomp(":")
+                            },
+          terminate_interaction: lambda { |msg|
+                                   puts
+                                   exit msg
+                                 },
           otp: options[:otp]
         )
         gc.sign_in(scope: "configure_trusted_publishers") unless gc.api_key
-        write_release_action(repository, rubygem_name)
         owner, name = github_repository
         config = {
           "trusted_publisher" => {
             "repository_name" => name,
             "repository_owner" => owner,
+            "environment" => environment,
             "workflow_filename" => "push_gem.yml"
-          },
+          }.compact,
           "trusted_publisher_type" => "OIDC::TrustedPublisher::GitHubAction"
         }
@@ -235,13 +247,46 @@ module ConfigureTrustedPublisher
         raise "No GitHub repository found for #{gemspec.name}"
       end
+      def add_environment
+        puts
+        return unless ask_yes_or_no("Would you like to add a github environment to allow customizing " \
+                                    "prerequisites for the action?")
+        env_name = "rubygems.org"
+        owner, name = github_repository
+        puts "Adding GitHub environment to #{owner}/#{name} to protect the action"
+        if (env = Open3.capture2e("gh", "api", "repos/#{owner}/#{name}/environments").then do |output, status|
+              exit "Failed to list environments for #{owner}/#{name} using `gh api`:\n#{output}" unless status.success?
+              JSON.parse(output)["environments"].find { |e| e["name"] == env_name }
+            end)
+          puts
+          puts "Environment 'rubygems.org' already exists for #{owner}/#{name}:\n  #{env['html_url']}"
+        else
+          Open3.capture2e("gh", "api", "--method", "PUT",
+                          "repos/#{owner}/#{name}/environments/#{env_name}").then do |output, status|
+            unless status.success?
+              exit "Failed to create rubygems.org environment for #{owner}/#{name} using `gh api`:\n#{output}"
+            end
+            env = JSON.parse(output)
+            puts
+            puts "Created environment 'rubygems.org' for #{owner}/#{name}:\n  #{env['html_url']}"
+          end
+        end
+        env_name
+      end
       attr_reader :gemspec_source
       def gemspec
         gemspec_source.specs.first
       end
-      def write_release_action(repository, rubygem_name)
+      def write_release_action(repository, rubygem_name, environment: nil)
         tag = "Automatically when a new tag matching v* is pushed"
         manual = "Manually by running a GitHub Action"
         puts
@@ -252,103 +297,50 @@ module ConfigureTrustedPublisher
           ],
           default: "2"
         )
-        case response
-        when tag
-          write_tag_action(repository)
-        when manual
-          write_manual_action(repository)
-        end
-      end
-      def write_tag_action(repository)
         action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
         return unless check_action(action_file)
         File.write(
           action_file,
-          <<~YAML
-            name: Push Gem
-            on:
-              push:
-                tags:
-                  - v*
-            permissions:
-              contents: read
-            jobs:
-              push:
-                if: github.repository == '#{github_repository.join('/')}'
-                runs-on: ubuntu-latest
-                permissions:
-                  contents: write
-                  id-token: write
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
-        )
-        puts "Created #{action_file}"
-      end
-      def write_manual_action(repository)
-        action_file = File.expand_path(".github/workflows/push_gem.yml", repository)
-        return unless check_action(action_file)
-        File.write(
-          action_file,
-          <<~YAML
-            name: Push Gem
-            on:
-              workflow_dispatch:
-            permissions:
-              contents: read
-            jobs:
-              push:
-                if: github.repository == '#{github_repository.join('/')}'
-                runs-on: ubuntu-latest
-                permissions:
-                  contents: write
-                  id-token: write
-                steps:
-                  # Set up
-                  - name: Harden Runner
-                    uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-                    with:
-                      egress-policy: audit
-                  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-                  - name: Set up Ruby
-                    uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
-                    with:
-                      bundler-cache: true
-                      ruby-version: ruby
-                  # Release
-                  - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
-          YAML
+          [
+            "name: Push Gem",
+            nil,
+            "on:",
+            "  #{response == tag ? "push:\n    tags:\n      - 'v*'" : 'workflow_dispatch:'}",
+            nil,
+            "permissions:",
+            "  contents: read",
+            nil,
+            "jobs:",
+            "  push:",
+            "    if: github.repository == '#{github_repository.join('/')}'",
+            "    runs-on: ubuntu-latest",
+            if environment
+              "\n    environment:\n      name: #{environment}\n      url: https://rubygems.org/gems/#{rubygem_name}\n"
+            end,
+            "    permissions:",
+            "      contents: write",
+            "      id-token: write",
+            nil,
+            "    steps:",
+            "      # Set up",
+            "      - name: Harden Runner",
+            "        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1",
+            "        with:",
+            "          egress-policy: audit",
+            nil,
+            "      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4",
+            "      - name: Set up Ruby",
+            "        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0",
+            "        with:",
+            "          bundler-cache: true",
+            "          ruby-version: ruby",
+            nil,
+            "      # Release",
+            "      - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1",
+            nil
+          ].join("\n")
         )
         puts "Created #{action_file}"
       end
@@ -357,9 +349,9 @@ module ConfigureTrustedPublisher
         return FileUtils.mkdir_p(File.dirname(action_file)) || true unless File.exist?(action_file)
         puts
-        response = ask_multiple_choice(
-          "#{action_file} already exists, overwrite?", { "y" => "Yes", "n" => "No" },
-          default: "n"
+        response = ask_yes_or_no(
+          "#{action_file} already exists, overwrite?",
+          default: false
         )
         return if response == "No"

data/lib/configure_trusted_publisher/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module ConfigureTrustedPublisher
-  VERSION = "0.1.6"
+  VERSION = "0.1.8"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: configure_trusted_publisher
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.8
 platform: ruby
 authors:
 - Samuel Giddins
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-05-08 00:00:00.000000000 Z
+date: 2024-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler